How is CVE-2026-25551 exploited?

Network reachability (not-required): The vulnerable endpoint is bound to localhost only; an attacker needs an existing shell or process on the host rather than any network path. Authentication (required): Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the endpoint. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends the payload directly to the listening service. Attack complexity (info): Exploitation is reliable and condition-free; pre-built payload generators such as YSoSerial.NET produce working BinaryFormatter payloads without requiring special timing or environment layout.

What is the impact of CVE-2026-25551?

Executes arbitrary code as NT AUTHORITY\SYSTEM, giving the attacker full control of the host operating system. Reads any file, credential store, or secret accessible to the SYSTEM account, including secrets held by other services on the same host. Modifies or deletes any file, registry key, or process on the host, enabling persistent implantation or sabotage of other workloads. Crashes or disables the BarTender service and any dependent print or labeling workflows running on the host.

Back to search

HIGHCVE-2026-25551Published 2026-06-04Modified 2026-06-04CNA VulnCheck

CVE-2026-25551: Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service

Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Insecure deserialization in Seagull Software BarTender (versions 2021 R1 through 12.0.1) allows a low-privileged local user to escalate to SYSTEM-level privileges. The vulnerable component is the DataServiceSingleton .NET Remoting endpoint, bound to localhost on TCP port 7375 by BtSystem.Service.exe, which accepts BinaryFormatter payloads without safe type filtering. An attacker with any local account on the host can send a crafted serialized payload to execute arbitrary code as NT AUTHORITY\SYSTEM. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including internally built images that bundle BarTender components.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 (High) and applies per-environment compliance policy weighting to determine urgency and routing, ensuring the alert reaches the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Seagull Software ships a corrected release. Customers can also apply compensating controls in the interim using HarborGuard's policy configuration.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The vulnerable endpoint is bound to localhost only; an attacker needs an existing shell or process on the host rather than any network path.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the endpoint.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends the payload directly to the listening service.
Attack complexityDetail
Exploitation is reliable and condition-free; pre-built payload generators such as YSoSerial.NET produce working BinaryFormatter payloads without requiring special timing or environment layout.

Blast Radius

Executes arbitrary code as NT AUTHORITY\SYSTEM, giving the attacker full control of the host operating system.
Reads any file, credential store, or secret accessible to the SYSTEM account, including secrets held by other services on the same host.
Modifies or deletes any file, registry key, or process on the host, enabling persistent implantation or sabotage of other workloads.
Crashes or disables the BarTender service and any dependent print or labeling workflows running on the host.

How HarborGuard Handles This

Available on HarborGuard: because no vendor fix exists at this time, HarborGuard continuously re-checks the Seagull Software advisory on every feed ingest cycle and will surface a patched-image rebuild the moment an upstream release is published. In the interim, customers can apply compensating controls through HarborGuard policy configuration, specifically network-policy rules that restrict which processes or users can connect to TCP port 7375 on affected hosts, and image-level controls that flag any image shipping BtSystem.Service.exe for mandatory review before deployment. For customers who opt into auto-remediation, the rebuild-plus-regression-run-plus-PR flow will trigger automatically against affected workloads once a fix version is available, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

Seagull Software, LLC. / BarTender 2021
≤ 12.0.1

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified