CVE-2026-25551
Description
Seagull BarTender 2021 R1 through 12.0.1 has an insecure deserialization vulnerability allowing local privilege escalation to SYSTEM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Seagull BarTender 2021 R1 through 12.0.1 has an insecure deserialization vulnerability allowing local privilege escalation to SYSTEM.
Vulnerability
Seagull Software BarTender versions 2021 R1 through 12.0.1 contain an insecure deserialization vulnerability within the DataServiceSingleton .NET Remoting endpoint. This endpoint is bound to localhost on TCP port 7375 by BtSystem.Service.exe and is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full [3]. Versions 2016 <= R9 and 2019 <= R10 are also affected [1].
Exploitation
A low-privileged local attacker can exploit this vulnerability by sending specially crafted BinaryFormatter payloads, generated using tools like YSoSerial.NET, to the localhost-bound .NET Remoting endpoint. This allows the attacker to achieve code execution with elevated privileges [3]. The attack requires local access to the affected machine [1].
Impact
Successful exploitation allows a low-privileged local attacker to escalate privileges to NT AUTHORITY\SYSTEM. This can lead to arbitrary code execution, sensitive credential disclosure, denial of service, or lateral movement within the network, depending on the service account's privileges and the network environment [1, 3].
Mitigation
Not yet disclosed in the available references. The vendor homepage is available for download information [2].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2021 R1 - 12.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The .NET Remoting endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, allowing deserialization of untrusted data."
Attack vector
A low-privileged local attacker can send a specially crafted BinaryFormatter payload, generated using tools like YSoSerial.NET, to the DataServiceSingleton .NET Remoting endpoint. This endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe [ref_id=1]. The attacker exploits the insecure deserialization mechanism to achieve code execution [ref_id=1]. For BarTender versions 2021 R1 through 12.0.1, the endpoint is restricted to localhost, necessitating local access [ref_id=1].
Affected code
The vulnerability lies within the DataServiceSingleton .NET Remoting endpoint, which is exposed by BtSystem.Service.exe [ref_id=1]. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on remediation. However, it notes that BarTender versions from 2021 R1 onwards restricted the .NET remoting TCP channel to bind to localhost only. Despite this change, the service is still registered with the unsafe BinaryServerFormatterSinkProvider class and a TypeFilterLevel value of Full, which can still be leveraged to perform local privilege escalation [ref_id=1].
Preconditions
- authThe attacker must have low-privileged local user access to the target system.
- networkThe attacker must be able to connect to the localhost-bound .NET Remoting endpoint on TCP port 7375.
Reproduction
. ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "<command>" -o base64 BarTender 2021 R1 through 12.0.1 . ExploitRemotingService.exe -s --user="" --pass="" tcp://localhost:7375/DataServiceSingleton raw <base64_ysoserial_output> [ref_id=1]
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.