Executive Summary

CVE-2026-0611 is an unauthenticated remote code execution vulnerability affecting Spacelabs Healthcare Sentinel versions 10.5.x and higher, and 11.x.x before 11.6.0. It arises from a deprecated .NET Remoting HTTP channel exposed on port 8989 that lacks authentication.

Attackers can exploit this vulnerability by supplying valid .NET URI endpoints to perform arbitrary file read and write operations. This includes writing ASPX webshells to the IIS wwwroot directory, which enables them to execute code remotely on the affected system without authentication.

However, port 8989 is not exposed by default; exploitation requires that this port has been deliberately made network-accessible through configuration or network policy changes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to remotely execute arbitrary code on the affected system.

• Attackers can read and write arbitrary files on the system.
• They can deploy ASPX webshells to the IIS wwwroot directory, gaining persistent remote access.
• Such unauthorized access can lead to full system compromise, data theft, data manipulation, or disruption of healthcare services.

Exploitation requires that the vulnerable port is exposed, so systems with default configurations are less likely to be affected unless network or configuration changes have been made.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if port 8989 is exposed and accessible on systems running Spacelabs Healthcare Sentinel versions 10.5.x and higher or 11.x.x before 11.6.0. Since the vulnerability involves a deprecated .NET Remoting HTTP channel on port 8989, network scanning tools can be used to identify if this port is open and listening.

Suggested commands to detect the vulnerability include using network scanning tools such as:

• nmap -p 8989 <target-ip> # Scan for open port 8989
• telnet <target-ip> 8989 # Attempt to connect to port 8989
• curl http://<target-ip>:8989/ # Check for HTTP response on port 8989

If port 8989 is not exposed, the system is likely not vulnerable unless the port has been explicitly made network-accessible through configuration or network policy changes.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include ensuring that port 8989 is not exposed or accessible from untrusted networks, as the vulnerability requires this port to be network-accessible.

If port 8989 must be used, restrict access to trusted hosts only through firewall rules or network segmentation.

Upgrade Spacelabs Healthcare Sentinel to version 11.6.0 or later, where this vulnerability has been addressed.

Additionally, review and remove any deprecated .NET Remoting HTTP channel configurations that expose port 8989.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Spacelabs Healthcare Sentinel allows unauthenticated remote code execution, which can lead to unauthorized access and manipulation of sensitive data. Such a security flaw can compromise the confidentiality, integrity, and availability of protected health information (PHI) managed by the system.

Given that Sentinel handles sensitive cardiovascular patient data and integrates with Electronic Health Records (EHR), exploitation of this vulnerability could result in violations of data protection regulations such as HIPAA and GDPR, which mandate strict controls over access to and protection of personal health information.

Specifically, unauthorized remote code execution could enable attackers to read, modify, or delete PHI, undermining compliance requirements related to data security, auditability, and patient privacy.

Useful 0 Not Useful 0