CVE-2026-21665
Received Received - Intake
Unsafe Deserialization in Fiserv Print Service Enables RCE

Publication date: 2026-02-23

Last updated on: 2026-02-25

Assigner: HackerOne

Description
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries. This CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21665
EUVD
EUVD-2026-7470
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fiserv originate_loans_peripherals to 2025.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, customers should upgrade from the unsupported version 2021.2.4 of Fiserv Originate Loans Peripherals to a currently supported release, version 2025.1 or later.

Additionally, ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries by restricting these ports to trusted network segments.

Note that this vulnerability applies only to client-hosted deployments with exposed .NET Remoting ports and does not affect Fiserv-hosted environments.

Executive Summary

The vulnerability exists in the Print Service component of Fiserv Originate Loans Peripherals version 2021.2.4, which uses deprecated .NET Remoting TCP channels. These channels allow unsafe deserialization of untrusted data, meaning that when the service ports are exposed to an untrusted network, an unauthenticated attacker can exploit this to execute remote code on the system.

This issue occurs specifically in client-managed deployments where the .NET Remoting service ports are exposed beyond trusted network boundaries. The affected version is no longer supported, and the vulnerability does not apply to Fiserv-hosted environments.

Impact Analysis

If you are running the unsupported version 2021.2.4 of Fiserv Originate Loans Peripherals with exposed .NET Remoting TCP ports, an unauthenticated attacker could remotely execute arbitrary code on your system. This could lead to full compromise of the affected system, unauthorized access, data theft, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart