Security researchers at LRQA have uncovered a critical remote code execution (RCE) vulnerability in Broadcom’s Symantec Endpoint Management Suite, formerly known as Altiris, that could allow unauthenticated attackers to execute arbitrary code on vulnerable systems.
The flaw, assigned CVE-2025-5333, affects multiple versions of the widely used enterprise endpoint management platform and has been rated with a critical CVSS score of 9.5.
Vulnerability Overview
The vulnerability stems from an exposed legacy .NET Remoting endpoint in the Symantec Altiris Inventory Rule Management (IRM) component, accessible at tcp://
When this endpoint is reachable over the network, it enables attackers to exploit insecure deserialization of .NET objects, leading to complete system compromise without requiring authentication.
| CVE Details | Information |
| CVE ID | CVE-2025-5333 |
| Severity | Critical |
| CVSS v4.0 Score | 9.5 |
| CVSS Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Affected Product | Broadcom Symantec Endpoint Management Suite (Altiris) |
| Affected Versions | 8.6.x, 8.7.x, 8.8 |
The vulnerability was discovered during a recent Red Team engagement when security researchers gained access to a hardened workstation and began reconnaissance activities.
While examining running processes, they identified Symantec Endpoint Management services and decided to investigate the infrastructure as a potential privilege escalation and lateral movement vector.
Using PowerShell to enumerate listening network services, the researchers found port 4011 bound to 0.0.0.0, indicating global accessibility.
Further investigation using DnSpy, a .NET debugger and assembly editor, revealed that the application was using RemotingConfiguration.RegisterWellKnownServiceType, indicating the presence of legacy .NET Remoting.
The decompiled code showed that the application used BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, a configuration known to be unsafe as it enables unrestricted object deserialization.
This vulnerability class was originally explored by James Forshaw in 2014 and represents a well-documented attack vector for .NET Remoting services.
Researchers confirmed the vulnerability using Forshaw’s ExploitRemotingService tool, successfully executing commands and retrieving directory contents from the target system remotely.
Following coordinated disclosure procedures, LRQA reported the vulnerability to Broadcom’s Product Security Incident Response Team (PSIRT). Broadcom responded promptly and professionally, confirming the issue and providing mitigation guidance.
The primary mitigation involves ensuring port 4011 is closed on the Notification Server firewall, as official documentation does not require this port to be opened.
Additionally, administrators can configure the IRM_HostedServiceUrl setting to remain empty, restricting .NET Remoting access to localhost only.
Broadcom has indicated that future product releases will include enhanced security measures to limit and secure the use of .NET Remoting for the IRM/HostedService component, preventing remote access to this potentially dangerous endpoint.
Organizations using affected versions should immediately review their firewall configurations and implement the recommended mitigations to prevent exploitation of this critical vulnerability.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
