Cyber Resilience

CVE-2026-23746

CriticalPublic PoCRCE

Published: 15 January 2026

Published
15 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0086 53.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23746 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Entrust Instant Financial (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Entrust Instant Financial Issuance (IFI) On Premise software, formerly known as CardWizard, versions 5.x prior to 6.10.5 and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel using unsafe formatter and channel settings that allow untrusted remoting object invocation, corresponding to CWE-306 and CWE-502 weaknesses.

A remote unauthenticated attacker who can reach the exposed remoting port can invoke the service's remoting objects to read arbitrary files from the server and coerce outbound authentication. The same access may be leveraged through known .NET Remoting techniques to achieve arbitrary file write and remote code execution, resulting in disclosure of sensitive installation and service-account data as well as full compromise of the affected host. The vulnerability carries a CVSS 4.0 score of 9.3.

The vendor advisory at trustedcare.entrust.com and the VulnCheck summary both direct customers to upgrade to the fixed releases 6.10.5 or 6.11.1, which close the unsafe remoting channel. No other mitigations such as network segmentation or configuration changes are specified in the references.

EPSS for the CVE rose from a low baseline to a peak of 0.0153 on 2026-02-16 before receding to the current value of 0.0041, indicating a temporary increase in exploitation interest after public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel…

more

with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insecure .NET Remoting exposure on a network-reachable service (missing auth + unsafe deserialization) directly enables remote unauthenticated exploitation of a public-facing application, leading to RCE/file access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-35051Shared CWE-306, CWE-502
CVE-2025-35050Shared CWE-306, CWE-502
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2026-4810Shared CWE-306
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2025-60039Shared CWE-502

Affected Assets

Entrust
Instant Financial
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

addresses: CWE-306

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

References