Description
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
Published: 2026-04-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Sensitive Data Disclosure
Action: Immediate Patch
AI Analysis

Impact

Kofax Capture 6.0.0.0 exposes a deprecated .NET Remoting HTTP channel on port 2424 that requires no authentication and uses a standard endpoint identifier. An attacker can exploit the channel’s object unmarshalling to create a System.Net.WebClient instance, allowing arbitrary reading and writing of files on the server filesystem, or coercing NTLMv2 authentication to an attacker‑controlled host. This can result in data theft, denial‑of‑service, remote code execution, or lateral movement depending on the privileges of the service account. The flaw is grounded in CWE‑306 (Authentication Bypass) and CWE‑441 (Unrestricted Resource Manipulation of Files and Directories).

Affected Systems

The vulnerability affects Kofax Capture (now called Tungsten Capture) version 6.0.0.0; other versions may also be impacted. The affected product is delivered by Tungsten Automation and configured with a .NET Remoting HTTP channel on port 2424. If your environment runs this version or earlier builds, it is likely susceptible.

Risk and Exploitability

The CVSS base score of 9.3 classifies the issue as critical. The EPSS score of less than 1% indicates that, at present, attackers are unlikely to have exploited the flaw widely, and it is not listed in CISA’s KEV catalog. Nevertheless, the vulnerability is exploitable from any network location that can reach port 2424, making it a high‑risk attack surface for organizations that expose Kofax Capture to the Internet or insecure internal networks. If compromised, an attacker can read or write any file the service account can access, pull NTLMv2 credentials, perform denial‑of‑service or execute arbitrary code on the host. The attack vector is a remote, unauthenticated HTTP session to the .NET Remoting endpoint.

Generated by OpenCVE AI on April 28, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version that disables or secures the .NET Remoting channel.
  • Disable or block inbound traffic to TCP port 2424 so the remote channel cannot be reached.
  • Restrict the privileges of the Kofax Capture service account to the minimum required for operation, limiting its ability to read/write sensitive files.
  • Audit and monitor the filesystem and Windows authentication logs for unusual activity that could indicate exploitation of the vulnerable channel.

Generated by OpenCVE AI on April 28, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Tungstenautomation
Tungstenautomation kofax Capture
Vendors & Products Tungstenautomation
Tungstenautomation kofax Capture

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
Title Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting
Weaknesses CWE-306
CWE-441
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tungstenautomation Kofax Capture
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:22.940Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23751

cve-icon Vulnrichment

Updated: 2026-04-25T01:20:32.794Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T16:16:24.463

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-23751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses