Description
Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4.
Published: 2026-04-15
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization flaw that permits the injection of malicious objects into OpenText RightFax running on Windows 32‑bit and 64‑bit systems. An attacker can exploit this weakness to cause arbitrary code execution within the application and potentially gain full control of the underlying operating system. The flaw arises because untrusted data is deserialized without proper validation, enabling an attacker to craft payloads that execute arbitrary code.

Affected Systems

The issue affects OpenText RightFax software through version 25.4. All installations on Windows 32‑bit and 64‑bit platforms that have not upgraded to the latest available release are vulnerable. Users should consult OpenText for a patched version that resolves the deserialization flaw.

Risk and Exploitability

The CVSS score of 9.3 indicates a high‑severity vulnerability. EPSS data is unavailable and the flaw is not documented in CISA's Known Exploited Vulnerabilities catalog, so the exact exploitation probability is uncertain. Nevertheless, the attack vector is inferred to be remote, most likely via network interfaces or file uploads that the application processes. If the RightFax server is exposed to untrusted networks, an attacker could leverage this weakness to achieve remote code execution before a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 02:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for RightFax that addresses the deserialization flaw when it becomes available.
  • If an upgrade is not immediately possible, disable or restrict any public-facing functionalities that accept external data, such as remote fax submission interfaces, and remove any unnecessary network services.
  • Implement network segmentation and firewall rules to restrict inbound connections to the RightFax server, allowing access only from trusted hosts.
  • Validate all inputs to the application and employ whitelisting for acceptable object types to prevent unchecked deserialization.

Generated by OpenCVE AI on April 16, 2026 at 02:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Deserialization of Untrusted Data Allows Object Injection in OpenText RightFax

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Opentext
Opentext rightfax
Vendors & Products Opentext
Opentext rightfax

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4.
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opentext Rightfax
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-04-15T17:32:31.254Z

Reserved: 2026-03-16T14:20:32.991Z

Link: CVE-2025-15610

cve-icon Vulnrichment

Updated: 2026-04-15T17:32:25.478Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:00.020

Modified: 2026-04-15T17:17:00.020

Link: CVE-2025-15610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses