Description
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
Published: 2026-07-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PACSGear MediaWriter 5.2.1 allows an attacker to exploit a .NET Remoting TCP service that is enabled on port 9000 and requires no authentication. By deserializing a MarshalByRefObject and using .NET WebClient methods, the attacker can read and write arbitrary files on the host. The ObjectURIs used by the service are identical on all installations, enabling a universal exploitation method. The write is sufficient to perform DLL hijacking by placing a crafted DLL in the application directory. When the MediaWriter service restarts, it loads the malicious DLL as NT Authority\SYSTEM, giving the attacker system‑level code execution.

Affected Systems

The affected product is Hyland PACSGear MediaWriter version 5.2.1. All installations of this version expose the same .NET Remoting TCP service on port 9000, exposing them to the described vulnerability.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a critical vulnerability. Although the EPSS score is not published, the lack of any authentication requirement and the presence of a documented exploit enable straightforward remote exploitation. The vulnerability is not listed in the CISA KEV catalog, but the severity and readiness of an exploit make it a high‑risk threat for any system that can reach the service over the network. Attackers would only need network access to the target host to leverage the vulnerability.

Generated by OpenCVE AI on July 2, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a version of PACSGear MediaWriter that removes the unauthenticated .NET Remoting TCP service or secures it with proper authentication.
  • If a patch is not yet available, block inbound traffic to port 9000 using a firewall or network ACL so that the Remoting service is inaccessible from untrusted networks.
  • Remove or rename the PacsgearMediaServerEngine.dll file and disable the DLL search path for the MediaWriter application to prevent DLL hijacking opportunities.
  • Configure the MediaWriter service to run under a non‑privileged account or restrict its DLL load directories to prevent elevation to SYSTEM during a service restart.

Generated by OpenCVE AI on July 2, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
Title PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service
Weaknesses CWE-306
CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T17:25:29.591Z

Reserved: 2026-06-29T14:13:18.384Z

Link: CVE-2026-58127

cve-icon Vulnrichment

Updated: 2026-07-01T16:15:10.370Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T16:00:12Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-502

    Deserialization of Untrusted Data