[tiraniddo]

Yes it’s just as vulnerable (example [1]), but I think .net serialization is exposed less often to untrusted inputs than Java with its myriad of enterprise software.

[1] https://googleprojectzero.blogspot.co.uk/2017/04/exploiting-...

Full disclosure, I’m the author of that blog post.