How is CVE-2026-0611 exploited?

Network reachability (required): The attacker must reach port 8989 over the network; this port is not exposed in a default Sentinel installation, so exploitation requires that it has been made network-accessible through deliberate configuration or a network policy change. Authentication (not-required): The .NET Remoting channel performs no authentication check, so any client that can connect to port 8989 can send malicious payloads without credentials. Victim interaction (not-required): Exploitation is fully automated and requires no action from any user or administrator on the target system. Attack complexity (info): The exploit is reliable under normal conditions, though it requires that the attacker target a specific precondition (port 8989 being network-accessible), which slightly constrains but does not prevent a determined attacker.

What is the impact of CVE-2026-0611?

Attacker reads arbitrary files from the host filesystem, including configuration files, credentials, and application secrets. Attacker writes arbitrary files to the IIS web root, enabling webshell deployment and persistent code execution under the IIS worker process identity. Attacker executes arbitrary commands on the host with the privileges of the IIS application pool account, which in many Windows deployments carries broad local privileges. Full confidentiality, integrity, and availability of the Sentinel application and its stored patient monitoring data are compromised.

Back to search

CRITICALCVE-2026-0611Published 2026-06-02Modified 2026-06-02CNA VulnCheck

CVE-2026-0611: Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting

Q: What is CVE-2026-0611?

This is an unauthenticated remote code execution vulnerability in Spacelabs Healthcare Sentinel versions 10.5.x through 11.x.x before 11.6.0. The flaw stems from a deprecated .NET Remoting HTTP channel exposed on port 8989, which accepts arbitrary .NET URI endpoints without any authentication check. An attacker who can reach that port can write ASPX webshells to the IIS web root and execute arbitrary code on the host. A patched-image rebuild at version 11.6.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-0611 fixed?

A patched-image rebuild at Sentinel 11.6.0 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.

Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel exposed on port 8989 that allows attackers to perform arbitrary file read and write operations by supplying valid .NET URI endpoints. Attackers can write ASPX webshells to the IIS wwwroot directory to achieve unauthenticated remote code execution on the system. Port 8989 is not exposed in a default Sentinel installation; exploitation requires that the .NET Remoting port has been explicitly made network-accessible through deliberate configuration or network policy changes.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 11.6.0
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated remote code execution vulnerability in Spacelabs Healthcare Sentinel versions 10.5.x through 11.x.x before 11.6.0. The flaw stems from a deprecated .NET Remoting HTTP channel exposed on port 8989, which accepts arbitrary .NET URI endpoints without any authentication check. An attacker who can reach that port can write ASPX webshells to the IIS web root and execute arbitrary code on the host. A patched-image rebuild at version 11.6.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-0611 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images derived from affected Sentinel base layers.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 9.2 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within a customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Sentinel 11.6.0 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach port 8989 over the network; this port is not exposed in a default Sentinel installation, so exploitation requires that it has been made network-accessible through deliberate configuration or a network policy change.
AuthenticationNot required
The .NET Remoting channel performs no authentication check, so any client that can connect to port 8989 can send malicious payloads without credentials.
Victim interactionNot required
Exploitation is fully automated and requires no action from any user or administrator on the target system.
Attack complexityDetail
The exploit is reliable under normal conditions, though it requires that the attacker target a specific precondition (port 8989 being network-accessible), which slightly constrains but does not prevent a determined attacker.

Blast Radius

Attacker reads arbitrary files from the host filesystem, including configuration files, credentials, and application secrets.
Attacker writes arbitrary files to the IIS web root, enabling webshell deployment and persistent code execution under the IIS worker process identity.
Attacker executes arbitrary commands on the host with the privileges of the IIS application pool account, which in many Windows deployments carries broad local privileges.
Full confidentiality, integrity, and availability of the Sentinel application and its stored patient monitoring data are compromised.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0611 is active across all connected registries and pipelines the moment the CVE was ingested from the VulnCheck feed. For environments running Sentinel 10.5.0 through 11.5.x, a patched-image rebuild targeting version 11.6.0 is available. For customers who opt into auto-remediation, HarborGuard can execute the full rebuild-and-PR flow automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with CVSS 9.2 Critical severity and routes it to the appropriate team for manual action. As an interim compensating control, customers should audit network policy to confirm that port 8989 is not exposed outside the host or a tightly scoped internal segment, since the vulnerability is only reachable when that port has been explicitly opened.

See how HarborGuard automates this

Fix available

11.6.0

Patch commits

spacelabshealthcare.com

Affected packages

Spacelabs Healthcare / Sentinel
< 11.6.0 (from 10.5.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available