Description
Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling, allowing remote attackers to read arbitrary files from the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite.
Published: 2026-02-24
Score: 10 Critical
EPSS: 1.2% Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Read/Write
Action: Patch Immediately
AI Analysis

Impact

Altec DocLink version 4.0.336.0 exposes unauthenticated .NET Remoting endpoints accessed through TCP or HTTP/SOAP. The service, Altec.RDCHostService.exe, binds to the object URI 'doclinkServer.soap' and performs unsafe object unmarshalling. This allows a remote actor to specify any file path on the underlying system, read its contents, or write data to arbitrarily chosen locations, including paths that are publicly reachable under IIS. A write to such locations can overwrite web‑executable files and give the attacker the ability to execute code on the server, or cause denial of service by corrupting critical files. The vulnerability is a classic instance of unsafe deserialization (CWE‑502) and can be leveraged without authentication, leading to full remote code execution.

Affected Systems

Beyond Limits Inc. maintains Altec DocLink. The affected product is Altec DocLink version 4.0.336.0. No other versions are listed as affected in the CNA data. The product is typically deployed in environments where the Altec.RDCHostService.exe process listens for .NET Remoting traffic on standard TCP/HTTP ports and exposes SOAP endpoints.

Risk and Exploitability

The CVSS score of 10 indicates maximum severity, and the EPSS score of 1% reflects a non‑negligible likelihood of exploitation. It is not listed in the CISA KEV catalog, but the presence of unauthenticated access and deserialization flaws strongly suggests that attackers could target the service over the public internet. The likely attack vector involves a remote actor connecting to the vulnerable TCP or HTTP endpoints, crafting a malicious payload that exploits the deserialization process to read or overwrite files and thereby achieve remote code execution.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor supplied patch or upgrade Altec DocLink to a version that removes or protects the .NET Remoting endpoints.
  • If an immediate patch is unavailable, stop or disable the Altec.RDCHostService.exe process or remove the 'doclinkServer.soap' object URI from the configuration to eliminate the unauthenticated entry point.
  • Restrict network access to the ports and hosts used by Altec.RDCHostService.exe using firewall rules or segmentation, ensuring that only trusted internal hosts can reach the service.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Beyond
Beyond altec Doclink
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:beyond:altec_doclink:4.0.336.0:*:*:*:*:*:*:*
Vendors & Products Beyond
Beyond altec Doclink
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Beyond Limits
Beyond Limits altec Doclink
Vendors & Products Beyond Limits
Beyond Limits altec Doclink

Tue, 24 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling, allowing remote attackers to read arbitrary files from the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite.
Title DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE
Weaknesses CWE-502
CWE-918
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Beyond Altec Doclink
Beyond Limits Altec Doclink
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-27T20:53:32.186Z

Reserved: 2026-02-11T20:08:07.945Z

Link: CVE-2026-26222

cve-icon Vulnrichment

Updated: 2026-02-27T20:53:28.836Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T18:29:33.293

Modified: 2026-02-27T20:05:06.970

Link: CVE-2026-26222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses