CVE-2026-23746
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: VulnCheck

Description
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23746
EUVD
EUVD-2026-2714
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
entrust instant_financial_issuance to 6.10.5 (exc)
entrust instant_financial_issuance to 6.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to severe impacts including disclosure of sensitive installation and service-account data, arbitrary file read and write on the server, forced outbound authentication, and remote code execution. Ultimately, it can result in full compromise of the affected host, allowing attackers to control or disrupt the system. [1]

Executive Summary

CVE-2026-23746 is a critical vulnerability in Entrust Instant Financial Issuance (IFI) On Premise software versions 5.x prior to 6.10.5 and 6.11.1. It exists in the SmartCardController service, which exposes an insecure .NET Remoting interface. This interface registers a TCP remoting channel with unsafe formatter settings that allow untrusted remote object invocation without authentication. This means a remote attacker who can access the remoting port can invoke exposed objects to read arbitrary files, force outbound authentication, and potentially write files or execute code remotely on the affected server. [1]

Detection Guidance

This vulnerability can be detected by identifying if the SmartCardController service (DCG.SmartCardControllerService.exe) is running and exposing a .NET Remoting TCP channel with unsafe formatter settings. Network scanning tools can be used to detect open TCP ports associated with the remoting service. Specific commands are not provided in the resources, but generally, you can use tools like 'netstat' to check for listening TCP ports on the host, and 'nmap' to scan for open remoting ports remotely. Additionally, inspecting running processes for DCG.SmartCardControllerService.exe can help confirm the presence of the vulnerable service. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Entrust Instant Financial Issuance (IFI) On Premise software to version 6.10.5 or later, or 6.11.1 or later, where the vulnerability is fixed. Until the upgrade can be applied, restrict network access to the remoting port used by the SmartCardController service to trusted hosts only, and consider disabling the service if it is not required. Applying network-level controls such as firewall rules to block unauthenticated remote access to the remoting port can reduce the risk of exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart