CVE-2026-25550

Vulnerability

Seagull Software BarTender versions 2010 (<= 10.1 R4), 2016 (<= R9), and 2019 (<= R10) contain an unauthenticated remote code execution vulnerability within the .NET Remoting service, accessible via BtSystem.Service.exe on TCP port 7375. The service exposes unauthenticated singleton endpoints (BarTenderSystem or DataServiceSingleton) configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full [2].

Exploitation

An unauthenticated remote attacker can exploit the .NET Remoting object unmarshalling vulnerability. By sending specially crafted requests to the service, an attacker can leverage the .NET WebClient class to read or write arbitrary files on the server. Alternatively, an attacker can coerce NTLMv2 authentication by providing a UNC path to an attacker-controlled server, potentially leading to credential disclosure, remote code execution, or lateral movement [2].

Impact

Successful exploitation allows an attacker to achieve arbitrary file read/write capabilities on the server. Furthermore, by coercing authentication, sensitive credential disclosure, remote code execution, or lateral movement can be achieved. The vulnerability is particularly severe as the service runs in the context of NT AUTHORITY\SYSTEM, granting high privileges [2].

Mitigation

Seagull Software has released patches for affected versions. Users should update to the latest available versions. Specific fixed versions are BarTender 2010 (>= 10.1 R5), BarTender 2016 (>= R10), and BarTender 2019 (>= R11). Information regarding End-of-Life (EOL) status or if the vulnerability has been listed on the Known Exploited Vulnerabilities (KEV) catalog is not yet disclosed in the available references [1, 2].