1. Exploit Title: PACSGEAR MediaWriter - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting
CVE ID: CVE-2026-58127
Vendor Homepage: https://www.hyland.com/en/solutions/products/pacsgear
PACSGear MediaWriter exposes on all interfaces a .NET Remoting service on port 9000 registered by the DLL file PacsgearMediaServerEngine.dll. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI are RemoteObj and UIRemoteObj. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary fil