Skip to main content

Seagull BarTender CVE-2026-25550

| EUVDEUVD-2026-34304 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-04 VulnCheck GHSA-2q9g-666g-vcp9
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 04, 2026 - 18:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 18:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 18:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 04, 2026 - 18:01 vuln.today

DescriptionCVE.org

Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint - BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 - configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.

AnalysisAI

Unauthenticated remote code execution in Seagull Software BarTender 2010, 2016 (<=R9), and 2019 (<=R10) is reachable over TCP/7375 through the BtSystem.Service.exe .NET Remoting endpoint, which runs as NT AUTHORITY\SYSTEM. The exposed singleton uses BinaryServerFormatterSinkProvider with TypeFilterLevel=Full, allowing attackers to abuse deserialization-style object unmarshalling to read/write arbitrary files, coerce NTLMv2 authentication via UNC paths, or pivot to full code execution. No public exploit identified at time of analysis, but the VulnCheck advisory documents the attack primitives in detail.

Technical ContextAI

BarTender is a widely deployed enterprise label-design and print-automation suite from Seagull Scientific. The affected component is BtSystem.Service.exe, a Windows service that hosts a legacy Microsoft .NET Remoting endpoint on TCP/7375. .NET Remoting is a deprecated RPC mechanism whose BinaryServerFormatterSinkProvider with TypeFilterLevel.Full permits clients to instantiate arbitrary serializable .NET types on the server - a well-known unsafe deserialization pattern documented by Microsoft and exploited via ysoserial.net gadget chains for years. The two named endpoints (BarTenderSystem for 2016 and DataServiceSingleton for 2019) are registered without any authentication sink, which directly maps to CWE-306 (Missing Authentication for Critical Function). Specific abuse paths described include calling System.Net.WebClient methods to perform arbitrary file I/O and using UNC paths to coerce SYSTEM-account NTLMv2 authentication to an attacker-controlled SMB server.

RemediationAI

No vendor-released patch identified at time of analysis; the cited references point to the Seagull download portal and the VulnCheck advisory rather than a numbered fix release, so administrators should contact Seagull Scientific to confirm a patched build and upgrade BarTender 2016 beyond R9 or BarTender 2019 beyond R10 (BarTender 2010 is end-of-life and likely requires migration to a supported major version). As an immediate compensating control, block inbound TCP/7375 to all BarTender servers at the host firewall and network perimeter - this disables remote Print Portal/Administration Console connectivity from other hosts, so confirm whether your environment uses centralized print management before enforcing. If feasible, stop or disable the BtSystem service on systems that do not require remote system administration features; this will break the Administration Console's remote management but not local printing. Restrict network reachability of BarTender servers to a management VLAN, monitor SMB egress to detect NTLM coercion attempts, and rotate the BtSystem service account credentials after remediation in case of prior compromise. Consult the Seagull download portal (https://portal.seagullscientific.com/downloads/bartender) and the VulnCheck advisory (https://www.vulncheck.com/advisories/seagull-software-bartender-unauthenticated-rce-via-net-remoting-service) for vendor-confirmed fixed versions.

Share

CVE-2026-25550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy