CVE-2026-58127: PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated remote code execution vulnerability exists in PACSgear MediaWriter 5.2.1, caused by an exposed .NET Remoting TCP service on port 9000 that requires no credentials. The service is reachable over the network without any authentication, and the attack requires no user interaction. Successful exploitation lets an attacker read and write arbitrary files on the host and, by chaining a DLL hijack against the MediaWriter service process running as NT Authority\\SYSTEM, execute arbitrary code with full system privileges. No fix version has been published; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-58127 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle PACSgear MediaWriter components. Any image layer containing the affected PacsgearMediaServerEngine.dll version is flagged automatically.
AvailableTriage is available with a CVSS v4.0 score of 9.3 (Critical), surfaced alongside per-environment compliance policy weighting so the finding is routed to the appropriate team inbox within each customer organization. HarborGuard highlights the network-exposed, no-authentication attack surface to help teams prioritize response relative to other open findings.
AvailableBecause no upstream fix version has been published for CVE-2026-58127, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can use HarborGuard policy controls to flag or block deployment of images containing the affected version and apply compensating network controls at the container or host level.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the target host over the network on TCP port 9000, where the .NET Remoting service listens by default.
- AuthenticationNot required
The exposed .NET Remoting service accepts connections with no credentials; any unauthenticated network client can interact with the registered ObjectURIs.
- Victim interactionNot required
No user action is needed; the attacker interacts directly with the listening service without involving any human on the target system.
- Attack complexityDetail
Exploit conditions are reliable and free of race conditions or environmental dependencies, as the ObjectURIs are static and identical across all default installations.
Blast Radius
- Reads arbitrary files from the host filesystem, including credential stores, configuration files, and sensitive application data.
- Writes arbitrary files to any path accessible by the service process, enabling placement of malicious DLLs or overwriting of existing binaries.
- Achieves code execution as NT Authority\\SYSTEM by dropping a rogue DLL (such as CRYPTBASE.DLL) into the application directory and triggering a service restart, granting full control of the host operating system.
- A SYSTEM-level foothold allows an attacker to pivot to other services, extract credentials from memory, and disable local security controls.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is active across connected registries and CI pipelines for any image containing PACSgear MediaWriter 5.2.1 components. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. Until a patch is available, recommended compensating controls include applying network policy rules that restrict inbound access to TCP port 9000 to known trusted hosts only, enforcing egress filtering on the MediaWriter host to limit lateral movement, and using HarborGuard admission policies to block deployment of images containing the affected binary into production namespaces. Where compliance policy permits, teams can also configure HarborGuard to fail CI pipeline builds that include the affected version, preventing the image from reaching any registry.
- Hyland / PACSgear MediaWriter5.2.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N