CVE-2026-26222
Unauthenticated .NET Remoting RCE in Altec DocLink
Publication date: 2026-02-24
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beyond | altec_doclink | 4.0.336.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26222 is a critical vulnerability in Altec DocLink version 4.0.336.0 and earlier. It arises because the software exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP without requiring authentication. These endpoints use the ObjectURI "doclinkServer.soap" and are vulnerable to unsafe object unmarshalling.'}, {'type': 'paragraph', 'content': 'This vulnerability allows remote attackers to read arbitrary files on the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because some writable paths may be web-accessible under IIS, this can lead to unauthenticated remote code execution or denial of service through file overwrite.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive files, unauthorized modification or creation of files on the server, and potentially full remote code execution without any authentication.
- Remote attackers can read arbitrary files from the system, compromising confidentiality.
- Attackers can write arbitrary files to server locations, potentially overwriting critical files and causing denial of service.
- Because writable paths may be accessible via IIS, attackers can execute arbitrary code remotely, leading to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the Altec.RDCHostService.exe process exposing .NET Remoting endpoints over TCP and HTTP/SOAP, specifically using the ObjectURI "doclinkServer.soap". Network scanning tools can be used to detect open TCP ports associated with this service.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerable service might include scanning for open TCP ports commonly used by .NET Remoting services (such as port 8080 or others configured) using tools like nmap:'}, {'type': 'list_item', 'content': 'nmap -p- --open -sV -sT <target-ip>'}, {'type': 'paragraph', 'content': 'Additionally, checking running processes on the system for Altec.RDCHostService.exe can be done with commands like:'}, {'type': 'list_item', 'content': 'tasklist /FI "IMAGENAME eq Altec.RDCHostService.exe" (Windows)'}, {'type': 'list_item', 'content': 'ps aux | grep Altec.RDCHostService.exe (Linux, if applicable)'}, {'type': 'paragraph', 'content': 'Further detection can involve attempting to connect to the exposed endpoint and verifying if it responds without authentication, which indicates vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or restricting access to the Altec.RDCHostService.exe .NET Remoting endpoints, especially the ObjectURI "doclinkServer.soap".'}, {'type': 'paragraph', 'content': 'Ensure that authentication is required for accessing these endpoints to prevent unauthenticated exploitation.'}, {'type': 'paragraph', 'content': 'Restrict network access to the vulnerable service by applying firewall rules to block external access to the ports used by the service.'}, {'type': 'paragraph', 'content': 'Review and harden IIS configurations to prevent writable paths from being web-accessible, thereby reducing the risk of remote code execution or denial of service.'}, {'type': 'paragraph', 'content': 'Apply any available patches or updates from Beyond Limits Inc. or the maintainers of Altec DocLink to address the vulnerability.'}] [2]