Description
Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.
Published: 2026-06-04
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization flaw in its .NET Remoting endpoint. A local user can craft YSoSerial.NET BinaryFormatter payloads and send them to the endpoint listening on localhost port 7375, triggering arbitrary code execution with the SYSTEM account. The vulnerability is identical to CWE-502 – insecure deserialization. The impact is a complete compromise of the host, enabling the attacker to modify, delete or exfiltrate any data and install persistence mechanisms.

Affected Systems

Seagull Software, LLC’s BarTender 2021 product, versions R1 through 12.0.1 inclusive, is affected. The vulnerable component is BtSystem.Service.exe, which hosts a .NET Remoting listener on TCP port 7375 bound to localhost.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, and while an EPSS score is not provided, the local-only attack surface implies a realistic threat to internally compromised or low-privileged users. The vulnerability is not listed in CISA’s KEV catalog, but the potential to attain SYSTEM privileges results in a catastrophic security breach if exploited.

Generated by OpenCVE AI on June 4, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor update or patch that removes the insecure deserialization behavior in BarTender 2021.
  • If a patch is not immediately available, stop or disable BtSystem.Service.exe or block its listening socket on TCP port 7375 to deny local access to the vulnerable endpoint.
  • Increase local user restrictions and audit for any unexpected execution of the BarTender service, and monitor system logs for suspicious activity on port 7375.

Generated by OpenCVE AI on June 4, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.
Title Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T17:20:09.946Z

Reserved: 2026-02-02T20:12:33.395Z

Link: CVE-2026-25551

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T18:16:28.923

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-25551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T18:30:16Z

Weaknesses