CVE-2026-0611
Unauthenticated Remote Code Execution in Spacelabs Healthcare Sentinel
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spacelabs_healthcare | sentinel | From 10.5 (inc) |
| spacelabs_healthcare | sentinel | to 11.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0611 is an unauthenticated remote code execution vulnerability affecting Spacelabs Healthcare Sentinel versions 10.5.x and higher, and 11.x.x before 11.6.0. It arises from a deprecated .NET Remoting HTTP channel exposed on port 8989 that lacks authentication.
Attackers can exploit this vulnerability by supplying valid .NET URI endpoints to perform arbitrary file read and write operations. This includes writing ASPX webshells to the IIS wwwroot directory, which enables them to execute code remotely on the affected system without authentication.
However, port 8989 is not exposed by default; exploitation requires that this port has been deliberately made network-accessible through configuration or network policy changes.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to remotely execute arbitrary code on the affected system.
- Attackers can read and write arbitrary files on the system.
- They can deploy ASPX webshells to the IIS wwwroot directory, gaining persistent remote access.
- Such unauthorized access can lead to full system compromise, data theft, data manipulation, or disruption of healthcare services.
Exploitation requires that the vulnerable port is exposed, so systems with default configurations are less likely to be affected unless network or configuration changes have been made.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if port 8989 is exposed and accessible on systems running Spacelabs Healthcare Sentinel versions 10.5.x and higher or 11.x.x before 11.6.0. Since the vulnerability involves a deprecated .NET Remoting HTTP channel on port 8989, network scanning tools can be used to identify if this port is open and listening.
Suggested commands to detect the vulnerability include using network scanning tools such as:
- nmap -p 8989 <target-ip> # Scan for open port 8989
- telnet <target-ip> 8989 # Attempt to connect to port 8989
- curl http://<target-ip>:8989/ # Check for HTTP response on port 8989
If port 8989 is not exposed, the system is likely not vulnerable unless the port has been explicitly made network-accessible through configuration or network policy changes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that port 8989 is not exposed or accessible from untrusted networks, as the vulnerability requires this port to be network-accessible.
If port 8989 must be used, restrict access to trusted hosts only through firewall rules or network segmentation.
Upgrade Spacelabs Healthcare Sentinel to version 11.6.0 or later, where this vulnerability has been addressed.
Additionally, review and remove any deprecated .NET Remoting HTTP channel configurations that expose port 8989.