Skip to main content

PACSgear MediaWriter CVE-2026-58127

| EUVDEUVD-2026-41037 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-07-01 VulnCheck GHSA-9h7v-mf98-p6r6
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable remoting service with no user interaction (AV:N/AC:L/PR:N/UI:N) yielding SYSTEM-level file read/write and code execution, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVE Published
Jul 01, 2026 - 15:59 cve.org
CRITICAL 9.3
Analysis Generated
Jul 01, 2026 - 15:50 vuln.today

DescriptionCVE.org

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

AnalysisAI

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach .NET Remoting service on port 9000
Delivery
Connect to default ObjectURI unauthenticated
Exploit
Abuse MarshalByRefObject unmarshalling for file write
Execution
Plant malicious CRYPTBASE.DLL in app directory
Persist
Wait for MediaWriter service restart
Impact
Execute code as NT AUTHORITY\SYSTEM

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the .NET Remoting TCP service on port 9000 exposed by PacsgearMediaServerEngine.dll on a PACSgear MediaWriter 5.2.1 host; no authentication, credentials, or user interaction are needed (PR:N/UI:N), and the ObjectURIs RemoteObj and UIRemoteObj are identical across all default installations, so no per-target discovery is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals align toward high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to TCP port 9000 connects to the unauthenticated .NET Remoting endpoint using the known default ObjectURI (RemoteObj/UIRemoteObj) and, via MarshalByRefObject unmarshalling with WebClient methods, writes a malicious CRYPTBASE.DLL into the MediaWriter application directory. When the SYSTEM-level MediaWriter service next restarts, it loads the planted DLL from its own directory and the attacker gains code execution as NT AUTHORITY\SYSTEM. …
Remediation No vendor-released patch version is identified in the available data, so the primary action is to contact Hyland for a fixed release and consult the VulnCheck advisory (https://www.vulncheck.com/advisories/pacsgear-mediawriter-unauthenticated-rce-via-net-remoting-tcp-service). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy