Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable remoting service with no user interaction (AV:N/AC:L/PR:N/UI:N) yielding SYSTEM-level file read/write and code execution, so C/I/A all High.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
AnalysisAI
Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the .NET Remoting TCP service on port 9000 exposed by PacsgearMediaServerEngine.dll on a PACSgear MediaWriter 5.2.1 host; no authentication, credentials, or user interaction are needed (PR:N/UI:N), and the ObjectURIs RemoteObj and UIRemoteObj are identical across all default installations, so no per-target discovery is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals align toward high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to TCP port 9000 connects to the unauthenticated .NET Remoting endpoint using the known default ObjectURI (RemoteObj/UIRemoteObj) and, via MarshalByRefObject unmarshalling with WebClient methods, writes a malicious CRYPTBASE.DLL into the MediaWriter application directory. When the SYSTEM-level MediaWriter service next restarts, it loads the planted DLL from its own directory and the attacker gains code execution as NT AUTHORITY\SYSTEM. … |
| Remediation | No vendor-released patch version is identified in the available data, so the primary action is to contact Hyland for a fixed release and consult the VulnCheck advisory (https://www.vulncheck.com/advisories/pacsgear-mediawriter-unauthenticated-rce-via-net-remoting-tcp-service). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41037
GHSA-9h7v-mf98-p6r6