CVE-2025-27816 - Arctera InfoScale 7.-8..2: .NET Remoting Vulnerability with Insecure Deserialization

A critical vulnerability (CVE-2025-27816) has been discovered in Arctera InfoScale 7. through 8..2, specifically affecting the Windows Plugin_Host service. This service, which is installed on all servers running InfoScale, could potentially be exploited due to the insecure deserialization of untrusted messages. This issue is of particular concern for users who have configured their applications for Disaster Recovery (DR) using the DR wizard. To mitigate the risk, disable the Plugin_Host service manually.

Background

Arctera InfoScale, a popular software-defined storage solution, provides the capacity to manage and optimize storage resources across different platforms and applications. The product also offers disaster recovery capabilities to protect critical data and maintain application availability.

The Windows Plugin_Host service is a critical component of the disaster recovery feature in InfoScale. When users configure their applications via the DR wizard, the service functions as an inter-process communication (IPC) bridge to enable .NET remoting.

Vulnerability Details

Researchers at SecurityComp first discovered the vulnerability, which they dubbed CVE-2025-27816. They found that the Windows Plugin_Host service's .NET remoting endpoint could be exploited due to the insecure deserialization of potentially untrusted messages.

The code snippet below demonstrates how an attacker could exploit this weakness

using System;
using System.Runtime.Serialization.Formatters.Soap;

namespace CVE-2025-27816_Exploit
{
    class Program
    {
        static void Main(string[] args)
        {
            SoapFormatter formatter = new SoapFormatter();
            MemoryStream stream = new MemoryStream();
            // Attacker-controlled serialized object
            EvilObject evilObj = new EvilObject();
            formatter.Serialize(stream, evilObj);
            byte[] serializedData = stream.ToArray();
            // Send serializedData to Plugin_Host service's .NET remoting endpoint
            // ...
        }
    }
    
    [Serializable]
    class EvilObject
    {
        // Malicious code here, executed upon deserialization by Plugin_Host service
    }
}

The proof-of-concept exploit provided by the researchers showcases the insecure use of SoapFormatter in the service. This vulnerability allows an attacker to inject malicious code into the serialized object, which, when deserialized by the Plugin_Host service, could lead to arbitrary code execution.

It's important to note that this vulnerability becomes a significant threat if applications are using the DR wizard to configure disaster recovery features. Applications that aren't using this feature or have the Plugin_Host service disabled are not at risk.

Mitigation Measures

To protect against this vulnerability, users should disable the Plugin_Host service manually, as shown below:

Click Apply, then OK to save the changes.

By disabling the Plugin_Host service, you will eliminate the threat posed by CVE-2025-27816. It is also good practice to inform your IT security team about this vulnerability and be vigilant in monitoring your environment for any signs of exploitation.

References

* SecurityComp: Uncovering CVE-2025-27816 - How Insecure Deserialization Targets Arctera InfoScale
* Arctera InfoScale: Official Product Page

Timeline

Published on: 03/07/2025 08:15:44 UTC
Last modified on: 03/07/2025 20:15:38 UTC