CVE-2025-34392 PUBLISHED

Barracuda RMM < 2025.1.1 Service Center Absolute Path Traversal RCE

Assigner: VulnCheck
Reserved: 15.04.2025 Published: 10.12.2025 Updated: 18.12.2025

Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Barracuda Networks
Product	RMM
Versions	Default: unaffected affected from 2025.1 to 2025.1.1 (excl.)

CVE-2025-34392 PUBLISHED

Barracuda RMM < 2025.1.1 Service Center Absolute Path Traversal RCE

Metrics

Product Status

Credits

References

Problem Types