Skip to content

Instantly share code, notes, and snippets.

@VAMorales
VAMorales / PACSGEAR-MediaWriterAFR-NETRemoting.md
Created July 1, 2026 12:35
PACSGEAR MediaWriter - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting

1. Exploit Title: PACSGEAR MediaWriter - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting

Disclosure Date: 07/01/2026

Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.

Known Affected Versions: 5.2.1

Description

PACSGear MediaWriter exposes on all interfaces a .NET Remoting service on port 9000 registered by the DLL file PacsgearMediaServerEngine.dll. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI are RemoteObj and UIRemoteObj. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary fil

@VAMorales
VAMorales / PACSGEAR-PACSScanAFR-NETRemoting.md
Created July 1, 2026 11:50
PACSGEAR PACS Scan - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting

1. Exploit Title: PACSGEAR PACS Scan - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting

Disclosure Date: 07/01/2026

Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.

Known Affected Versions: 5.2.1

Description

PACSGear PACS Scan exposes on all interfaces a .NET Remoting service on port 22222 registered by the executable file PGImageExchQueue.exe. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI is PGImageExchange. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary file read can be ac

@VAMorales
VAMorales / RickKnowles-WinstoneServletContainerAFR.md
Created June 25, 2026 11:41
Rick Knowles Winstone Servlet Container - Unauthenticated Arbitrary File Read - (CVE-2026-56122)

1. Exploit Title: Rick Knowles Winstone Servlet Container - Unauthenticated Arbitrary File Read

Disclosure Date: 06/25/2026

Exploit Authors: Victor A. Morales of GM Sectec, Corp.

Known Affected Versions: 0.9.10 and prior

Description

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

@VAMorales
VAMorales / Seagull BarTender Multiple Vulnerabilities.md
Last active June 28, 2026 12:47
Seagull BarTender - CVE-2026-25550 / CVE-2026-25551

1. Exploit Title: Seagull Scientific BarTender - Unauthenticated Arbitrary File Read/Write + RCE & SMB coercion via .NET Remoting

Disclosure Date: 06/03/2026

Exploit Authors: Victor A. Morales and Jan Rodriguez of GM Sectec, Corp.

Known Affected Versions: 2016 <= R9, 2019 <= R10

Description

BarTender exposes a deprecated .NET Remoting TCP channel running in secure mode on port 7375 to all interfaces via the BtSystem.Service.exe Service executable. This can be exploited using anonymous authentication on the .NET TCP remoting endpoint that varies by version to coerce the target to an attacker-specified SMB share or to arbitrarily read/write files to the server in the context of NT AUTHORITY\SYSTEM. By modifying the PoC of Code-White's RemotingClient_MBRO.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the cor

@VAMorales
VAMorales / BridgeHeadFileStoreApacheAxis2RCE.md
Created April 24, 2026 11:57
BridgeHead Software - BridgeHead FileStore Apache Axis2 Default Credentials RCE (CVE-2026-39920)

Exploit Title: BridgeHead Software - BridgeHead FileStore Apache Axis2 Default Credentials RCE

Disclosure Date: 4/24/2026

Exploit Authors: Victor A. Morales of GM Sectec, Corp.

Known Affected Versions: < 24A

Description

BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

@VAMorales
VAMorales / Kofax Capture - Unauthenticated NET Remoting vulnerabilities.md
Created April 23, 2026 14:32
Kofax Capture - Unauthenticated File Read/Write and SMB coercion via .NET Remoting

Exploit Title: Tungsten Automation - Kofax Capture Unauthenticated File Read/Write and SMB coercion via .NET HTTP Remoting

Disclosure Date: 4/23/2026

Exploit Authors: Victor A. Morales of GM Sectec, Corp.

Known Affected Versions: 6.0.0.0

Description

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service (C:\Kofax\CaptureSS\ServLib\Bin\ACSvc.exe) that is accessible without authentication and uses a default, publicly known endpoint identifier. By modifying the PoC of Code-White's RemotingClient_MBRO_Lazy.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host, an unauthenticated remote attacker can exploit .NET Remoting object unma

@VAMorales
VAMorales / Unisys-WebPerfect Image Suite-CVE-2026-39906-CVE-2026-39907.md
Created April 23, 2026 14:14
Unisys - WebPerfect Image Suite - CVE-2026-39906 / CVE-2026-39907

Exploit Title: Unisys - WebPerfect Image Suite NTLMv2 Hash Leakage via .NET Remoting

Disclosure Date: 4/23/2026

Exploit Authors: Victor A. Morales of GM Sectec, Corp.

Known Affected Versions: 3.0.3960.22810, 3.0.3960.22604

Description

Deprecated .NET Remoting technology on an ephemeral network reachable port is used by the program Unisys.SOA.PerfectImageService.exe. Modifying the PoC of Code-White's RemotingClient_MBVO.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host, it was determined that the System.Media.SoundPlayer class technique allows SMB coercion by supplying a remote UNC path to leak the NTLMv2 hash of the account running the service.

@VAMorales
VAMorales / Entrust Security Bulletin E25-002.md
Created April 24, 2025 21:27
Entrust Security Bulletin E25-002

Entrust Security Bulletin E25-002

Unauthenticated Arbitrary File Reading and Arbitrary Code Execution Vulnerability in Printer Manager Systems


Who Should Read This Bulletin

Customers with printers running D3.18.4-3 or prior firmware with Printer Manager enabled (the default configuration). Customers with this configuration are advised to upgrade to the latest version and apply the remediation steps described herein.

Exploit Title: Hyland Software OnBase - Unauthenticated Remote Code Execution via .NET Deserialization

Disclosure Date: 04/09/2025

CVEID: CVE-2025-34153

Exploit Authors: Victor A. Morales, GM Sectec Inc.

Vendor Homepage: https://www.hyland.com/

Affected Versions: < 17.0.2.87 (other versions may be affected)

Known Fixed Version: 24.1 (earlier versions may contain a fix)

Description