Description
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.
Published: 2026-06-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Seagull Software BarTender 2010, 2016, and 2019 expose an unauthenticated .NET Remoting service on TCP port 7375. The service registers a singleton endpoint that uses BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, allowing a remote attacker to send crafted data that is unmarshalled by the service. This flaw enables the attacker to read or write arbitrary files, supply a UNC path to a controlled server to coerce NTLMv2 authentication, and consequently leak credentials, execute arbitrary code, or facilitate lateral movement depending on the privileges of the service account. The service runs under NT AUTHORITY\\SYSTEM, providing a broad attack surface if exploited.

Affected Systems

Affected vendors include Seagull Software, LLC and products are BarTender 2010, BarTender 2016, and BarTender 2019. No other product versions are listed as affected.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is classified as critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is network-based; an unauthenticated attacker can exploit the service from any host that can reach TCP port 7375. Because the service runs as SYSTEM, successful exploitation would grant full control over the host, making this a high‑risk vulnerability in any environment where the service is exposed.

Generated by OpenCVE AI on June 4, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch that removes or secures the .NET Remoting endpoint.
  • If a patch is not yet available, disable the BtSystem.Service.exe process or remove the .NET Remoting configuration so the service no longer listens on port 7375.
  • Block external access to port 7375 with a firewall or network segmentation so only trusted local hosts can communicate with the device.
  • Monitor system logs for attempts to connect to the Remoting service and alert on suspicious activity.

Generated by OpenCVE AI on June 4, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.
Title Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service
Weaknesses CWE-306
CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T17:50:01.515Z

Reserved: 2026-02-02T20:12:33.395Z

Link: CVE-2026-25550

cve-icon Vulnrichment

Updated: 2026-06-04T17:49:39.535Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T18:16:28.747

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-25550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:00:14Z

Weaknesses