CVE-2026-21665
Received Received - Intake
Unsafe Deserialization in Fiserv Print Service Enables RCE

Publication date: 2026-02-23

Last updated on: 2026-02-25

Assigner: HackerOne

Description
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries. This CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-25
Generated
2026-05-27
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-25
NVD
CVE-2026-21665
EUVD
EUVD-2026-7470
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fiserv originate_loans_peripherals to 2025.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, customers should upgrade from the unsupported version 2021.2.4 of Fiserv Originate Loans Peripherals to a currently supported release, version 2025.1 or later.

Additionally, ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries by restricting these ports to trusted network segments.

Note that this vulnerability applies only to client-hosted deployments with exposed .NET Remoting ports and does not affect Fiserv-hosted environments.


Can you explain this vulnerability to me?

The vulnerability exists in the Print Service component of Fiserv Originate Loans Peripherals version 2021.2.4, which uses deprecated .NET Remoting TCP channels. These channels allow unsafe deserialization of untrusted data, meaning that when the service ports are exposed to an untrusted network, an unauthenticated attacker can exploit this to execute remote code on the system.

This issue occurs specifically in client-managed deployments where the .NET Remoting service ports are exposed beyond trusted network boundaries. The affected version is no longer supported, and the vulnerability does not apply to Fiserv-hosted environments.


How can this vulnerability impact me? :

If you are running the unsupported version 2021.2.4 of Fiserv Originate Loans Peripherals with exposed .NET Remoting TCP ports, an unauthenticated attacker could remotely execute arbitrary code on your system. This could lead to full compromise of the affected system, unauthorized access, data theft, or disruption of services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart