Description
Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM.
References (5)
Core 5
Core References
Various Sources product
https://www.hyland.com/en/internal/onbase-unity-client
Various Sources technical-description
exploit
https://gist.github.com/VAMorales/32794cccc2195a935623a12ef32760dc
Various Sources patch
https://support.hyland.com/r/OnBase/WorkView/Foundation-24.1/WorkView/Installation/Upgrade-Considerations/Upgrading-to-OnBase-Version-Foundation-24.1
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hyland-onbase-net-remoting-tcp-channel-unauthenticated-rce
Various Sources vendor-advisory
mitigation
permissions-required
https://community.hyland.com/resources/bulletins-and-notices/210540-security-update-hyland-timer-service-bulletin-ob2025-02
Scores
CVSS v4
10.0
EPSS
0.0061
EPSS Percentile
44.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
Hyland Software/OnBase
< 17.0.2.87
Hyland Software/OnBase
24.1
Published
Aug 13, 2025
Tracked Since
Feb 18, 2026