Back to overview

CVE-2026-58127

CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

Metadata

CVE ID
CVE-2026-58127
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-29 14:13 UTC
Published
2026-07-01 14:41 UTC
Last updated
2026-07-01 17:25 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
Hyland / PACSgear MediaWriter
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Hyland PACSgear MediaWriter 5.2.1
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CWE-502 cna Deserialization of Untrusted Data
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview