Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26222 is a critical vulnerability in Altec DocLink version 4.0.336.0 and earlier. It arises because the software exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP without requiring authentication. These endpoints use the ObjectURI "doclinkServer.soap" and are vulnerable to unsafe object unmarshalling.'}, {'type': 'paragraph', 'content': 'This vulnerability allows remote attackers to read arbitrary files on the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because some writable paths may be web-accessible under IIS, this can lead to unauthenticated remote code execution or denial of service through file overwrite.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive files, unauthorized modification or creation of files on the server, and potentially full remote code execution without any authentication.

• Remote attackers can read arbitrary files from the system, compromising confidentiality.
• Attackers can write arbitrary files to server locations, potentially overwriting critical files and causing denial of service.
• Because writable paths may be accessible via IIS, attackers can execute arbitrary code remotely, leading to full system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the Altec.RDCHostService.exe process exposing .NET Remoting endpoints over TCP and HTTP/SOAP, specifically using the ObjectURI "doclinkServer.soap". Network scanning tools can be used to detect open TCP ports associated with this service.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerable service might include scanning for open TCP ports commonly used by .NET Remoting services (such as port 8080 or others configured) using tools like nmap:'}, {'type': 'list_item', 'content': 'nmap -p- --open -sV -sT <target-ip>'}, {'type': 'paragraph', 'content': 'Additionally, checking running processes on the system for Altec.RDCHostService.exe can be done with commands like:'}, {'type': 'list_item', 'content': 'tasklist /FI "IMAGENAME eq Altec.RDCHostService.exe" (Windows)'}, {'type': 'list_item', 'content': 'ps aux | grep Altec.RDCHostService.exe (Linux, if applicable)'}, {'type': 'paragraph', 'content': 'Further detection can involve attempting to connect to the exposed endpoint and verifying if it responds without authentication, which indicates vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or restricting access to the Altec.RDCHostService.exe .NET Remoting endpoints, especially the ObjectURI "doclinkServer.soap".'}, {'type': 'paragraph', 'content': 'Ensure that authentication is required for accessing these endpoints to prevent unauthenticated exploitation.'}, {'type': 'paragraph', 'content': 'Restrict network access to the vulnerable service by applying firewall rules to block external access to the ports used by the service.'}, {'type': 'paragraph', 'content': 'Review and harden IIS configurations to prevent writable paths from being web-accessible, thereby reducing the risk of remote code execution or denial of service.'}, {'type': 'paragraph', 'content': 'Apply any available patches or updates from Beyond Limits Inc. or the maintainers of Altec DocLink to address the vulnerability.'}] [2]

Useful 0 Not Useful 0