Cyber Posture

CVE-2026-23751

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23751 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tungstenautomation (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-7 Least Functionality good match
prevent

Restricting systems to least functionality eliminates the unnecessary deprecated .NET Remoting channel on port 2424, preventing unauthenticated remote exploitation.

SC-7 Boundary Protection good match
prevent

Boundary protection controls network communications to block unauthorized inbound access to the exposed unauthenticated HTTP channel on port 2424.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, directly prohibiting unauthenticated access to critical Remoting functions enabling file operations and code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack.mitre.org →
Why these techniques?

T1190 for unauthenticated exploitation of public-facing .NET Remoting service; T1005 for arbitrary file reads; T1105 for writing attacker-controlled files; T1187 for NTLMv2 authentication coercion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly…

more

known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.

Deeper analysisAI

CVE-2026-23751 affects Kofax Capture, now referred to as Tungsten Capture, specifically version 6.0.0.0, with other versions potentially vulnerable. The vulnerability stems from the Ascent Capture Service exposing a deprecated .NET Remoting HTTP channel on port 2424, which is accessible without authentication and uses a default, publicly known endpoint identifier. This misconfiguration enables exploitation through .NET Remoting object unmarshalling techniques, as scored at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWEs-306 (Missing Authentication for Critical Function) and CWE-441 (Unintended Proxy or Intermediary).

An unauthenticated remote attacker can exploit this by instantiating a remote System.Net.WebClient object via the exposed channel. This allows reading arbitrary files from the server filesystem, writing attacker-controlled files to the server, or coercing NTLMv2 authentication to an attacker-controlled host. Depending on the privileges of the service account and the network environment, successful exploitation can lead to sensitive credential disclosure, denial of service, remote code execution, or lateral movement.

Advisories and resources, including the Tungsten Automation documentation, a GitHub gist detailing the issue, and a VulnCheck advisory, provide additional technical details on the vulnerability, such as proof-of-concept exploitation steps for file read/write and SMB coercion via .NET Remoting. Practitioners should consult these for guidance on identification and potential workarounds, as no specific patch details are outlined in the core CVE information.

Details

CWE(s)
CWE-306CWE-441

Affected Products

Tungstenautomation
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-24865Shared CWE-306
CVE-2024-13186Shared CWE-306
CVE-2026-34732Shared CWE-306
CVE-2025-43428Shared CWE-306
CVE-2025-30111Shared CWE-306
CVE-2026-39906Shared CWE-441
CVE-2025-25224Shared CWE-306
CVE-2026-26333Shared CWE-306
CVE-2026-42796Shared CWE-306
CVE-2026-32646Shared CWE-306

References