CVE-2026-25551
Insecure Deserialization in Seagull BarTender
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seagull_software | bartender | From 12.0.1 (inc) |
| seagull_software | bartender | From 2021_r1 (inc) to 12.0.1 (inc) |
| seagull_software | bartender | 12.0.1 |
| seagull_software | bartender | 2016_r9 |
| seagull_software | bartender | 2019_r10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling local access to the TCP port 7375 used by the BtSystem.Service.exe process hosting the vulnerable .NET Remoting endpoint.
Since the attack surface is limited to local access, ensure that only trusted users have local access to the affected system.
Applying updates or patches from Seagull Software that address this insecure deserialization vulnerability is recommended once available.
As a temporary workaround, consider stopping the BtSystem.Service.exe service if it is not critical for your operations.
Can you explain this vulnerability to me?
CVE-2026-25551 is an insecure deserialization vulnerability in Seagull Software BarTender versions 2021 R1 through 12.0.1. It exists in the DataServiceSingleton .NET Remoting endpoint, which listens only on localhost TCP port 7375 via the BtSystem.Service.exe process.
The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, which allows attackers to send specially crafted serialized payloads generated by tools like YSoSerial.NET.
A low-privileged local user can exploit this by sending malicious payloads to the endpoint, resulting in arbitrary code execution with NT AUTHORITY\SYSTEM privileges, effectively escalating their privileges to the highest system level.
How can this vulnerability impact me? :
This vulnerability allows a low-privileged local attacker to escalate their privileges to SYSTEM level, which is the highest privilege on a Windows system.
With SYSTEM privileges, an attacker can execute arbitrary code, gain full control over the affected system, install malware, access sensitive data, modify system configurations, and potentially move laterally within a network.
The attack surface is limited to local access only, meaning the attacker must have some form of local access to the machine to exploit this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Seagull Software BarTender service is running and listening on localhost TCP port 7375, specifically the BtSystem.Service.exe process hosting the DataServiceSingleton .NET Remoting endpoint.
You can use commands to verify if the port is open and bound to localhost and identify the process using it.
- On Windows, use: netstat -ano | findstr :7375
- Then, identify the process with the PID from netstat: tasklist /FI "PID eq <PID>"
- Check if BtSystem.Service.exe is running: tasklist | findstr BtSystem.Service.exe
Additionally, detection can involve monitoring for unusual local connections or attempts to send serialized payloads to TCP port 7375 on localhost.