How is CVE-2026-25550 exploited?

Network reachability (required): The attacker must be able to reach TCP port 7375 on the host running BtSystem.Service.exe over the network; any internet- or intranet-exposed deployment is at risk. Authentication (not-required): The .NET Remoting endpoint registers an unauthenticated singleton, so no account credentials of any privilege level are needed to send malicious payloads. Victim interaction (not-required): Exploitation is fully server-side; no user action, click, or session is required from anyone on the target system. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, memory layout knowledge, or environmental setup beyond network access to the exposed port.

What is the impact of CVE-2026-25550?

Reads arbitrary files on the server filesystem, including configuration files, secrets, and private keys accessible to NT AUTHORITY\SYSTEM. Writes arbitrary files to the server filesystem, enabling web shell placement, binary replacement, or persistence mechanisms. Captures NTLMv2 credential hashes from the service account (NT AUTHORITY\SYSTEM) by coercing authentication to an attacker-controlled UNC path, usable for relay attacks or offline cracking. Executes arbitrary code as NT AUTHORITY\SYSTEM, granting full control of the host and enabling lateral movement to other systems reachable from the server.

Back to search

CRITICALCVE-2026-25550Published 2026-06-04Modified 2026-06-04CNA VulnCheck

CVE-2026-25550: Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service

Q: What is CVE-2026-25550?

An unauthenticated remote code execution vulnerability exists in Seagull Software BarTender versions 2010, 2016, and 2019, caused by an insecure .NET Remoting service exposed on TCP port 7375. Any attacker who can reach this port over the network can exploit unsafe object deserialization without providing any credentials. Successful exploitation gives the attacker arbitrary file read and write on the host, NTLMv2 credential capture, and full remote code execution running as NT AUTHORITY\SYSTEM. No vendor-supplied fix is available; HarborGuard tracks this advisory and will surface patch availability as soon as upstream publishes a fix.

Q: Is CVE-2026-25550 patched?

Because no fix version has been published by Seagull Software, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is identified.

Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 3

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in Seagull Software BarTender versions 2010, 2016, and 2019, caused by an insecure .NET Remoting service exposed on TCP port 7375. Any attacker who can reach this port over the network can exploit unsafe object deserialization without providing any credentials. Successful exploitation gives the attacker arbitrary file read and write on the host, NTLMv2 credential capture, and full remote code execution running as NT AUTHORITY\SYSTEM. No vendor-supplied fix is available; HarborGuard tracks this advisory and will surface patch availability as soon as upstream publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-25550 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including VulnCheck and NVD. Coverage extends to custom-built images that bundle BarTender components or its runtime dependencies, not just images sourced from public registries.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (CRITICAL) and applies per-environment compliance policy weighting to determine breach-level priority and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on workload ownership and policy configuration.

Available

Patch

Because no fix version has been published by Seagull Software, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is identified.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach TCP port 7375 on the host running BtSystem.Service.exe over the network; any internet- or intranet-exposed deployment is at risk.
AuthenticationNot required
The .NET Remoting endpoint registers an unauthenticated singleton, so no account credentials of any privilege level are needed to send malicious payloads.
Victim interactionNot required
Exploitation is fully server-side; no user action, click, or session is required from anyone on the target system.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, memory layout knowledge, or environmental setup beyond network access to the exposed port.

Blast Radius

Reads arbitrary files on the server filesystem, including configuration files, secrets, and private keys accessible to NT AUTHORITY\SYSTEM.
Writes arbitrary files to the server filesystem, enabling web shell placement, binary replacement, or persistence mechanisms.
Captures NTLMv2 credential hashes from the service account (NT AUTHORITY\SYSTEM) by coercing authentication to an attacker-controlled UNC path, usable for relay attacks or offline cracking.
Executes arbitrary code as NT AUTHORITY\SYSTEM, granting full control of the host and enabling lateral movement to other systems reachable from the server.

How HarborGuard Handles This

Available on HarborGuard: because no vendor fix exists for CVE-2026-25550, HarborGuard monitors the Seagull Software advisory and VulnCheck feed on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against all affected workloads without manual steps. In the interim, compensating controls are recommended: apply network policy to block inbound access to TCP port 7375 from untrusted network segments, enforce egress filtering to prevent outbound SMB and UNC path connections that enable NTLMv2 coercion, and where operationally possible, disable BtSystem.Service.exe on hosts that do not require the BarTender automation service. Where compliance policy permits broader remediation actions, HarborGuard can surface these controls as policy-gated findings routed to the appropriate team inbox.

See how HarborGuard automates this

Affected packages

Seagull Software, LLC. / BarTender 2010
≤ 10.1 R4
Seagull Software, LLC. / BarTender 2016
≤ R9
Seagull Software, LLC. / BarTender 2019
≤ R10

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified