Skip to main content

Seagull BarTender CVE-2026-25551

| EUVD-2026-34306 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-04 VulnCheck GHSA-g42f-xxvf-qj27
Deserialization RCE Bartender 2021
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 04, 2026 - 18:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 18:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 18:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Jun 04, 2026 - 18:04 vuln.today

DescriptionCVE.org

Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.

AnalysisAI

Local privilege escalation in Seagull Software BarTender 2021 R1 through 12.0.1 allows any low-privileged user on the host to gain SYSTEM execution by sending a crafted BinaryFormatter payload to a localhost-bound .NET Remoting endpoint. Publicly available exploit code exists (a YSoSerial.NET-based PoC is published as a GitHub gist), and the issue carries a CVSS 4.0 base score of 8.5 with high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged local shell
Delivery
Generate BinaryFormatter gadget with YSoSerial.NET
Exploit
Connect to 127.0.0.1:7375 .NET Remoting endpoint
Install
Send serialized payload to DataServiceSingleton
C2
BtSystem.Service.exe deserializes with TypeFilterLevel=Full
Execute
Gadget chain executes as NT AUTHORITY\SYSTEM
Impact
Full host compromise and lateral movement setup
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) local logon to a Windows host running Seagull BarTender 2021 R1 through 12.0.1 with BtSystem.Service.exe started and listening on loopback TCP/7375, (2) any low-privileged interactive or non-interactive account on that host (PR:L confirmed by CVSS), and (3) the ability to execute an arbitrary binary or script that opens a loopback TCP socket - no admin rights, no user interaction, and no non-default BarTender configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N, VC:H/VI:H/VA:H) accurately reflects the real risk: trivial complexity, no user interaction, and total host compromise from any authenticated local account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard-user attacker - for example, an employee on a shared print-management workstation or an adversary who has already phished a low-privileged account - runs YSoSerial.NET to generate a BinaryFormatter gadget chain and pipes the bytes to 127.0.0.1:7375 over the .NET Remoting protocol. BtSystem.Service.exe deserializes the payload with TypeFilterLevel=Full, executing the gadget and spawning a SYSTEM-level command shell. …
Remediation Patch availability per vendor advisory is referenced via the Seagull download portal at https://portal.seagullscientific.com/downloads/bartender - upgrade BarTender past 12.0.1 to the latest build that disables or hardens the DataServiceSingleton .NET Remoting endpoint, and confirm the fixed version against the VulnCheck advisory at https://www.vulncheck.com/advisories/seagull-software-bartender-deserialization-privilege-escalation-via-net-remoting-service since an exact fix version was not included in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all BarTender installations to identify affected versions (2021 R1 through 12.0.1) and assess user access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25551 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy