CVE-2026-25551
Awaiting Analysis Awaiting Analysis - Queue
Insecure Deserialization in Seagull BarTender

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulnCheck

Description
Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-12
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-11
NVD
CVE-2026-25551
EUVD
EUVD-2026-34306
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
seagull_software bartender From 12.0.1 (inc)
seagull_software bartender From 2021_r1 (inc) to 12.0.1 (inc)
seagull_software bartender 12.0.1
seagull_software bartender 2016_r9
seagull_software bartender 2019_r10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting or disabling local access to the TCP port 7375 used by the BtSystem.Service.exe process hosting the vulnerable .NET Remoting endpoint.

Since the attack surface is limited to local access, ensure that only trusted users have local access to the affected system.

Applying updates or patches from Seagull Software that address this insecure deserialization vulnerability is recommended once available.

As a temporary workaround, consider stopping the BtSystem.Service.exe service if it is not critical for your operations.

Executive Summary

CVE-2026-25551 is an insecure deserialization vulnerability in Seagull Software BarTender versions 2021 R1 through 12.0.1. It exists in the DataServiceSingleton .NET Remoting endpoint, which listens only on localhost TCP port 7375 via the BtSystem.Service.exe process.

The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, which allows attackers to send specially crafted serialized payloads generated by tools like YSoSerial.NET.

A low-privileged local user can exploit this by sending malicious payloads to the endpoint, resulting in arbitrary code execution with NT AUTHORITY\SYSTEM privileges, effectively escalating their privileges to the highest system level.

Impact Analysis

This vulnerability allows a low-privileged local attacker to escalate their privileges to SYSTEM level, which is the highest privilege on a Windows system.

With SYSTEM privileges, an attacker can execute arbitrary code, gain full control over the affected system, install malware, access sensitive data, modify system configurations, and potentially move laterally within a network.

The attack surface is limited to local access only, meaning the attacker must have some form of local access to the machine to exploit this vulnerability.

Detection Guidance

This vulnerability can be detected by checking if the Seagull Software BarTender service is running and listening on localhost TCP port 7375, specifically the BtSystem.Service.exe process hosting the DataServiceSingleton .NET Remoting endpoint.

You can use commands to verify if the port is open and bound to localhost and identify the process using it.

  • On Windows, use: netstat -ano | findstr :7375
  • Then, identify the process with the PID from netstat: tasklist /FI "PID eq <PID>"
  • Check if BtSystem.Service.exe is running: tasklist | findstr BtSystem.Service.exe

Additionally, detection can involve monitoring for unusual local connections or attempts to send serialized payloads to TCP port 7375 on localhost.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25551. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart