PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25550 Seagull Software, LLC. CVE debrief

CVE-2026-25550 is a critical unauthenticated remote code execution vulnerability in Seagull Software BarTender 2010, 2016, and 2019. The vulnerability exists in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. This allows an unauthenticated remote attacker to exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server. This could enable sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY SYSTEM.

Vendor
Seagull Software, LLC.
Product
BarTender 2010
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-04
Advisory published
2026-06-04
Advisory updated
2026-06-04

Who should care

Administrators and users of Seagull Software BarTender 2010, 2016, and 2019 should be aware of this vulnerability and take immediate action to mitigate it.

Technical summary

The vulnerability has a CVSS score of 9.3 and is considered critical. It is caused by the .NET Remoting service being exposed on TCP port 7375 without proper authentication. An attacker can exploit this vulnerability to execute arbitrary code on the server.

Defensive priority

High

Recommended defensive actions

  • Immediately disable the .NET Remoting service on TCP port 7375.
  • Block incoming traffic on TCP port 7375 at the network perimeter.
  • Apply patches or updates provided by Seagull Software to fix the vulnerability.
  • Use a Web Application Firewall (WAF) to detect and prevent exploitation attempts.

Evidence notes

The CVE record was published on 2026-06-04T18:16:28.747Z and modified on 2026-06-04T19:15:17.327Z. The vulnerability was reported by [email protected].

Official resources

CVE-2026-25550 was published on 2026-06-04T18:16:28.747Z and modified on 2026-06-04T19:15:17.327Z.