PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58127 Hyland CVE debrief

PACSgear MediaWriter 5.2.1 is vulnerable to unauthenticated remote code execution via a .NET Remoting TCP service on port 9000. The service, registered with ObjectURIs RemoteObj and UIRemoteObj, lacks authentication. An attacker can exploit this using the MarshalByRefObject object unmarshalling technique and .NET WebClient class methods to read and write arbitrary files. Chaining this with DLL hijacking in the MediaWriter service, which runs as NT Authority SYSTEM, enables code execution as SYSTEM upon service restart.

Vendor
Hyland
Product
PACSgear MediaWriter
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-09
Advisory published
2026-07-01
Advisory updated
2026-07-09

Who should care

Organizations using PACSgear MediaWriter 5.2.1 should prioritize patching this critical vulnerability to prevent unauthenticated remote code execution. Affected operators, platform administrators, vulnerability management teams, and security teams should assess their exposure and implement compensating controls if necessary. This includes reviewing system configurations, monitoring for suspicious activity, and applying the vendor patch as soon as possible.

Technical summary

The PACSgear MediaWriter 5.2.1 software exposes a .NET Remoting TCP service on port 9000 without authentication. This service is registered with ObjectURIs RemoteObj and UIRemoteObj. An unauthenticated remote attacker can exploit this vulnerability by using the MarshalByRefObject object unmarshalling technique along with .NET WebClient class methods to read and write arbitrary files on the host filesystem. Furthermore, by chaining the arbitrary file write capability with DLL hijacking opportunities in the MediaWriter service, which runs with elevated privileges as NT Authority SYSTEM, an attacker can achieve unauthenticated remote code execution as SYSTEM upon service restart. The ObjectURIs are identical across all installations by default, making exploitation straightforward.

Defensive priority

High

Recommended defensive actions

  • Apply the vendor patch for PACSgear MediaWriter 5.2.1
  • Disable the .NET Remoting TCP service on port 9000 if not required
  • Implement network segmentation to restrict access to the affected service
  • Monitor for suspicious activity on port 9000
  • Consider compensating controls such as Web Application Firewalls
  • Inventory and verify the presence of PACSgear MediaWriter in your environment

Evidence notes

The CVE record was published on 2026-07-01T16:16:51.417Z and was last modified on 2026-07-09T02:37:28.310Z. The NVD entry is currently Analyzed. The vulnerability details are based on the information provided in the CVE and NVD records, as well as third-party advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T16:16:51.417Z and has not been modified since then. The NVD entry is currently Analyzed.