CVE Catalog

CVE-2026-58127

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.78%

51th percentile — higher than 51% of all known CVEs

Summary

The vulnerability in PACSgear MediaWriter 5.2.1 is due to missing authentication in the .NET Remoting TCP service on port 9000. An unauthenticated attacker can remotely read and write arbitrary files on the host filesystem and then exploit missing DLLs to achieve remote code execution as SYSTEM.

Risk Assessment

The risk for the organization includes full system compromise by an unauthenticated attacker, potentially leading to data theft, malware installation, or service disruption.

Recommendation

Immediately update PACSgear MediaWriter to the latest version that fixes this vulnerability. Until then, block port 9000 on the firewall and restrict access to the service to trusted IP addresses only.

Original NVD description (English source)

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS