CVE-2026-58127
Received Received - Intake

Unauthenticated Remote Code Execution in PACSgear MediaWriter

Vulnerability report for CVE-2026-58127, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pacsgear mediawriter to 5.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58127 is a critical vulnerability in PACSgear MediaWriter version 5.2.1 and earlier that exposes a .NET Remoting TCP service on port 9000 without any authentication. This service, provided by PacsgearMediaServerEngine.dll and registered with ObjectURIs RemoteObj and UIRemoteObj, allows unauthenticated remote attackers to exploit object unmarshalling techniques to read and write arbitrary files on the host system.

Attackers can chain this arbitrary file write capability with DLL hijacking opportunities because the MediaWriter service runs with NT AUTHORITY\SYSTEM privileges and loads missing DLLs (such as CRYPTBASE.DLL) from the application directory. By uploading a malicious DLL and restarting the service, attackers can achieve remote code execution (RCE) with SYSTEM-level privileges.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive files through arbitrary file read and write operations. More critically, it allows unauthenticated remote attackers to execute arbitrary code on the affected system with SYSTEM-level privileges.

Such remote code execution can lead to full system compromise, allowing attackers to install malware, steal data, disrupt services, or use the compromised system as a foothold for further attacks within a network.

Detection Guidance

This vulnerability can be detected by checking for the presence of the PACSgear MediaWriter 5.2.1 service exposing a .NET Remoting TCP service on port 9000. Specifically, you should verify if the service PacsgearMediaServerEngine.dll is running and listening on port 9000 with the ObjectURIs RemoteObj and UIRemoteObj.

A network scan can be performed to detect if port 9000 is open on the target system. For example, using nmap:

  • nmap -p 9000 <target-ip>

To further confirm the presence of the vulnerable .NET Remoting service, you can attempt to connect to port 9000 using tools like telnet or netcat:

  • telnet <target-ip> 9000
  • nc <target-ip> 9000

Additionally, on the host system, you can check for the running service and loaded DLLs related to MediaWriter 5.2.1 to confirm the vulnerable version is installed.

Mitigation Strategies

Immediate mitigation steps include restricting network access to port 9000 to trusted hosts only, effectively blocking unauthenticated remote access to the .NET Remoting TCP service.

If possible, stop or disable the PACSgear MediaWriter 5.2.1 service until a patch or update is applied.

Monitor and audit the application directory for unexpected or suspicious DLL files, especially those named like CRYPTBASE.DLL, to prevent DLL hijacking.

Apply any available patches or updates from the vendor that address this vulnerability.

If a patch is not yet available, consider isolating the affected system from untrusted networks to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart