Description
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
Published: 2026-01-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the SmartCardController service in Entrust Instant Financial Issuance that exposes a .NET Remoting channel with unsafe formatter settings, allowing unauthenticated callers to invoke remote objects. An attacker can read arbitrary files, force outbound authentication, and potentially write files or execute code, leading to disclosure of installation secrets and complete compromise of the affected host. The weakness is reflected in CWE-306 for improper authentication and CWE-502 for deserialization of untrusted data.

Affected Systems

The affected software is Entrust Corporation's Instant Financial Issuance (IF) On-Premise product, including all 5.x releases, and 6.x releases prior to 6.10.5 and prior to 6.11.1. The vulnerable component is DCG.SmartCardControllerService.exe, which registers a TCP remoting channel.

Risk and Exploitability

The CVSS v3.1 base score of 9.3 indicates critical severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is network-based: an unauthenticated remote actor must be able to reach the remoting port to trigger the exploit, which could be mitigated by firewall rules. The involvement of unsafe serialization and lack of authentication allows for remote code execution once access is established.

Generated by OpenCVE AI on April 16, 2026 at 07:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Instant Financial Issuance version (6.10.5 or newer) which removes the insecure remoting channel.
  • If an upgrade is not immediately possible, disable or stop the SmartCardController service (DCG.SmartCardControllerService.exe) to prevent the vulnerable remoting endpoint from listening.
  • Block inbound traffic to the affected remoting port at the network perimeter using firewall rules, limiting access to trusted administrators only.
  • Apply any vendor‑issued hotfixes or workarounds published in the official advisory.

Generated by OpenCVE AI on April 16, 2026 at 07:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Entrust
Entrust instant Financial Issuance
Entrust Instant Financial Issuance
Entrust Instant Financial Issuance entrust Instant Financial Issuance
Vendors & Products Entrust
Entrust instant Financial Issuance
Entrust Instant Financial Issuance
Entrust Instant Financial Issuance entrust Instant Financial Issuance

Thu, 15 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
Title Entrust Instant Financial Issuance (IFI) SmartCardController Service .NET Remoting RCE
Weaknesses CWE-306
CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Entrust Instant Financial Issuance
Entrust Instant Financial Issuance Entrust Instant Financial Issuance
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:11.756Z

Reserved: 2026-01-15T18:42:20.937Z

Link: CVE-2026-23746

cve-icon Vulnrichment

Updated: 2026-01-15T20:33:47.242Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T20:16:05.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses