Critical .NET Remoting Flaws Expose Seagull BarTender to RCE and SYSTEM Escalation
Seagull Software BarTender was found to contain two high-severity flaws in the .NET Remoting service exposed by BtSystem.Service.exe on TCP port 7375. CVE-2026-25550 affects BarTender 2010, 2016, and 2019 and allows unauthenticated remote code execution because the service exposes unauthenticated singleton endpoints and uses BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, enabling unsafe object unmarshalling. Researchers said attackers can abuse the issue to read or write arbitrary files through the .NET WebClient class or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server.
A second issue, CVE-2026-25551, affects BarTender 2021 R1 through 12.0.1 and enables local privilege escalation through insecure deserialization on the DataServiceSingleton endpoint bound to localhost. A low-privileged user can send BinaryFormatter payloads, including those generated with YSoSerial.NET, to execute code as NT AUTHORITY\SYSTEM. Both flaws stem from unsafe deserialization patterns in the BarTender remoting service and can result in full system compromise, credential disclosure, and follow-on lateral movement depending on the environment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-25551 received for local BarTender privilege escalation
A new CVE entry for Seagull Software BarTender 2021 R1 through 12.0.1 was received by disclosure@vulncheck.com on June 4, 2026, covering an insecure deserialization flaw in the DataServiceSingleton .NET Remoting endpoint on localhost TCP port 7375. The issue allows a low-privileged local user to send crafted BinaryFormatter payloads and execute code as NT AUTHORITY\SYSTEM.
CVE-2026-25550 disclosed for BarTender .NET Remoting RCE
A new CVE entry described an unauthenticated remote code execution vulnerability affecting Seagull Software BarTender 2010, 2016, and 2019 via the BtSystem.Service.exe .NET Remoting service on TCP port 7375. The flaw stems from unsafe deserialization in unauthenticated singleton endpoints and can enable arbitrary file access, NTLMv2 coercion, and code execution as NT AUTHORITY\SYSTEM.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-25551 - Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service
cvefeed.io
Open sourceSeagull Software BarTender Unauthenticated RCE via .NET Remoting Service | Advisories | VulnCheck
vulncheck.com
Open sourceCVE-2026-25550 - Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Local Code Execution Flaws Disclosed in PDF Explorer and RGui
Two newly cataloged CVEs detail local code execution vulnerabilities in Windows desktop applications **PDF Explorer 1.5.66.2** and **RGui 3.5.0**. **CVE-2018-25217** affects PDF Explorer through a structured exception handler (SEH) overflow in the application's **Custom fields settings** dialog, where malicious data placed in the **Label** field can overwrite SEH records and enable arbitrary code execution. The issue is mapped to `CWE-787` and was published with CVSS v4.0 and v3.1 scoring, alongside references to Exploit-DB, RTT Software, a trial installer, and a VulnCheck advisory. **CVE-2018-25258** affects RGui 3.5.0 through a stack-based buffer overflow in the **GUI preferences** dialog, specifically the **Language for menus and messages** field. The disclosure says an attacker can use SEH-based exploitation to bypass DEP, run a ROP chain that calls `VirtualAlloc`, and achieve arbitrary code execution on the local system. The entry was published with CVSS v4.0 and v3.1 vectors and references to the affected R 3.5.0 Windows binary, Exploit-DB, the R Project website, and a VulnCheck advisory.
Apr 12, 2026
Unauthenticated RCE in Spacelabs Healthcare Sentinel via Exposed .NET Remoting
Spacelabs Healthcare **Sentinel** versions `10.5.x` and later, and `11.x.x` before `11.6.0`, are affected by **CVE-2026-0611`, an unauthenticated remote code execution flaw tied to a deprecated **.NET Remoting HTTP** channel. The vulnerable service listens on port `8989` and can expose arbitrary file read and write functionality when attackers supply valid .NET URI endpoints, creating a path to compromise the application without authentication. Researchers reported that attackers could use the file-write access to place **ASPX webshells** in the IIS `wwwroot` directory and execute code on the target system. Advisories note that port `8989` is **not exposed by default** in Sentinel deployments, meaning exploitation depends on the remoting service having been deliberately made network-accessible through configuration or network policy changes. The issue was credited to Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.
Jun 2, 2026
Critical Remote Code Execution Vulnerabilities in SmarterMail and GNU InetUtils telnetd
SmarterTools released *SmarterMail* Build **9511** to address multiple security issues, including a **critical unauthenticated RCE** in the `ConnectToHub` API method tracked as **CVE-2026-24423** (CVSS **9.3**). The flaw allows an attacker to direct SmarterMail to an attacker-controlled HTTP server that returns a malicious OS command, which the application then executes. The same build also fixes another critical issue, **CVE-2026-23760** (CVSS **9.3**), which has been reported as **actively exploited in the wild**, and a medium-severity issue **CVE-2026-25067** (CVSS **6.9**) described as unauthenticated path coercion that can trigger outbound SMB authentication to attacker-controlled UNC paths, enabling **credential coercion/NTLM relay** scenarios. Separately, a proof-of-concept exploit was reported for an older critical RCE in **GNU InetUtils `telnetd`** tracked as **CVE-2026-24061**, raising the likelihood of broad compromise across an estimated **800,000+** internet-exposed instances. The Shadowserver Foundation reported the largest concentrations of exposed legacy deployments in **China**, followed by **Brazil, the U.S., Japan, and Mexico**, and urged organizations to audit for exposed telnet services (commonly `23/TCP`), disable `telnetd`, enforce firewall restrictions, and migrate to **SSH** to reduce exposure.
Mar 21, 2026