CVE-2026-23746
Published: 15 January 2026
Summary
CVE-2026-23746 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Entrust Instant Financial (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Entrust Instant Financial Issuance (IFI) On Premise software, formerly known as CardWizard, versions 5.x prior to 6.10.5 and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel using unsafe formatter and channel settings that allow untrusted remoting object invocation, corresponding to CWE-306 and CWE-502 weaknesses.
A remote unauthenticated attacker who can reach the exposed remoting port can invoke the service's remoting objects to read arbitrary files from the server and coerce outbound authentication. The same access may be leveraged through known .NET Remoting techniques to achieve arbitrary file write and remote code execution, resulting in disclosure of sensitive installation and service-account data as well as full compromise of the affected host. The vulnerability carries a CVSS 4.0 score of 9.3.
The vendor advisory at trustedcare.entrust.com and the VulnCheck summary both direct customers to upgrade to the fixed releases 6.10.5 or 6.11.1, which close the unsafe remoting channel. No other mitigations such as network segmentation or configuration changes are specified in the references.
EPSS for the CVE rose from a low baseline to a peak of 0.0153 on 2026-02-16 before receding to the current value of 0.0041, indicating a temporary increase in exploitation interest after public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2714
Vulnerability details
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel…
more
with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure .NET Remoting exposure on a network-reachable service (missing auth + unsafe deserialization) directly enables remote unauthenticated exploitation of a public-facing application, leading to RCE/file access.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.