PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25551 Seagull Software, LLC. CVE debrief

CVE-2026-25551 is an insecure deserialization vulnerability in Seagull Software BarTender 2021 R1 through 12.0.1. The vulnerability allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint, bound to localhost on TCP port 7375 via BtSystem.Service.exe, limits the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY SYSTEM.

Vendor
Seagull Software, LLC.
Product
BarTender 2021
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-04
Advisory published
2026-06-04
Advisory updated
2026-06-04

Who should care

Users of Seagull Software BarTender 2021 R1 through 12.0.1 should apply patches or mitigations to prevent local privilege escalation.

Technical summary

The vulnerability is caused by an insecure deserialization in the DataServiceSingleton .NET Remoting endpoint. The endpoint is bound to localhost on TCP port 7375 and is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. This allows a low-privileged local attacker to send malicious payloads to the endpoint and achieve code execution as NT AUTHORITY SYSTEM.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by Seagull Software to address the insecure deserialization vulnerability.
  • Restrict access to the DataServiceSingleton .NET Remoting endpoint to only necessary users and services.
  • Monitor for suspicious activity on TCP port 7375 and investigate any anomalies.
  • Consider implementing additional security measures, such as network segmentation and least privilege principles, to reduce the attack surface.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and references.

Official resources

public