PatchSiren cyber security CVE debrief
CVE-2026-58127 Hyland CVE debrief
PACSgear MediaWriter 5.2.1 is vulnerable to unauthenticated remote code execution via a .NET Remoting TCP service on port 9000. The service, registered with ObjectURIs RemoteObj and UIRemoteObj, lacks authentication. An attacker can exploit this using the MarshalByRefObject object unmarshalling technique and .NET WebClient class methods to read and write arbitrary files. Chaining this with DLL hijacking in the MediaWriter service, which runs as NT Authority SYSTEM, enables code execution as SYSTEM upon service restart.
- Vendor
- Hyland
- Product
- PACSgear MediaWriter
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-01
- Original CVE updated
- 2026-07-09
- Advisory published
- 2026-07-01
- Advisory updated
- 2026-07-09
Who should care
Organizations using PACSgear MediaWriter 5.2.1 should prioritize patching this critical vulnerability to prevent unauthenticated remote code execution. Affected operators, platform administrators, vulnerability management teams, and security teams should assess their exposure and implement compensating controls if necessary. This includes reviewing system configurations, monitoring for suspicious activity, and applying the vendor patch as soon as possible.
Technical summary
The PACSgear MediaWriter 5.2.1 software exposes a .NET Remoting TCP service on port 9000 without authentication. This service is registered with ObjectURIs RemoteObj and UIRemoteObj. An unauthenticated remote attacker can exploit this vulnerability by using the MarshalByRefObject object unmarshalling technique along with .NET WebClient class methods to read and write arbitrary files on the host filesystem. Furthermore, by chaining the arbitrary file write capability with DLL hijacking opportunities in the MediaWriter service, which runs with elevated privileges as NT Authority SYSTEM, an attacker can achieve unauthenticated remote code execution as SYSTEM upon service restart. The ObjectURIs are identical across all installations by default, making exploitation straightforward.
Defensive priority
High
Recommended defensive actions
- Apply the vendor patch for PACSgear MediaWriter 5.2.1
- Disable the .NET Remoting TCP service on port 9000 if not required
- Implement network segmentation to restrict access to the affected service
- Monitor for suspicious activity on port 9000
- Consider compensating controls such as Web Application Firewalls
- Inventory and verify the presence of PACSgear MediaWriter in your environment
Evidence notes
The CVE record was published on 2026-07-01T16:16:51.417Z and was last modified on 2026-07-09T02:37:28.310Z. The NVD entry is currently Analyzed. The vulnerability details are based on the information provided in the CVE and NVD records, as well as third-party advisories.
Official resources
-
CVE-2026-58127 CVE record
CVE.org
-
CVE-2026-58127 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T16:16:51.417Z and has not been modified since then. The NVD entry is currently Analyzed.