{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21665", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.871Z", "datePublished": "2026-02-23T22:34:39.632Z", "dateUpdated": "2026-02-25T16:07:57.615Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Fiserv", "product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "versions": [{"version": "2021.2.4", "status": "affected", "lessThan": "2021.2.4", "versionType": "custom"}]}], "references": [{"url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "metrics": [{"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "Omar Crespo, Pentester, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-02-23T22:34:39.632Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T16:06:30.487851Z", "id": "CVE-2026-21665", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:07:57.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T16:06:30.487851Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:07:49.184Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "finder", "value": "Omar Crespo, Pentester, GM Sectec, Corp."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Fiserv", "product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "versions": [{"status": "affected", "version": "2021.2.4", "lessThan": "2021.2.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-02-23T22:34:39.632Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21665", "state": "PUBLISHED", "dateUpdated": "2026-02-25T16:07:57.615Z", "dateReserved": "2026-01-02T15:00:02.871Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-02-23T22:34:39.632Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}, {"lang": "es", "value": "El componente Print Service de Fiserv Originate Loans Peripherals (anteriormente Velocity Services) en la versi\u00f3n no compatible 2021.2.4 (compilaci\u00f3n 4.7.3155.0011) utiliza canales TCP de .NET Remoting obsoletos que permiten la deserializaci\u00f3n insegura de datos no confiables. Cuando estos servicios est\u00e1n expuestos a una red no confiable en una implementaci\u00f3n gestionada por el cliente, un atacante no autenticado puede lograr la ejecuci\u00f3n remota de c\u00f3digo. La versi\u00f3n 2021.2.4 ya no es compatible con Fiserv. Los clientes deben actualizarse a una versi\u00f3n actualmente compatible (2025.1 o posterior) y asegurarse de que los puertos del servicio .NET Remoting no est\u00e9n expuestos m\u00e1s all\u00e1 de los l\u00edmites de la red confiable.\n\nEste CVE documenta el comportamiento observado en una implementaci\u00f3n alojada por el cliente que ejecuta una versi\u00f3n heredada no compatible de Originate Loans Peripherals con puertos de .NET Remoting expuestos a una red no confiable. Esta no es una configuraci\u00f3n predeterminada o compatible. Los clientes que ejecutan versiones heredadas deben actualizarse a una versi\u00f3n actualmente compatible y asegurarse de que los puertos de .NET Remoting est\u00e9n restringidos a segmentos de red confiables. El hallazgo no se aplica a entornos alojados por Fiserv."}], "id": "CVE-2026-21665", "lastModified": "2026-02-25T17:25:37.403", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-02-23T23:16:15.710", "references": [{"source": "support@hackerone.com", "url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2021.2.4,2021.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "source": "cna", "vendor": "Fiserv"}, "product": "originate_loans_peripherals_(formerly_velocity_services)_--_print_service_component", "vendor": "fiserv"}], "created": "2026-02-24T09:54:36.163080+00:00", "updated": "2026-02-24T09:54:36.163169+00:00", "vendors": ["fiserv", "fiserv$PRODUCT$originate_loans_peripherals_(formerly_velocity_services)_--_print_service_component"]}