CVE-2026-58127
Published: 01 July 2026
Summary
CVE-2026-58127 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Hyland (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-41037
Vulnerability details
PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote…
more
attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauth .NET Remoting service enables remote exploitation (T1190); arbitrary file write chained with app-dir DLL loading enables hijack for SYSTEM RCE (T1574.001, T1068).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the .NET Remoting service to enforce authentication and authorization before permitting any file read/write operations via the unauthenticated RemoteObj/UIRemoteObj endpoints.
Requires boundary protection (e.g., firewall rules, network segmentation) to block unauthenticated external connections to TCP port 9000 and the exposed .NET Remoting service.
Requires the MediaWriter service to run with least privilege instead of NT AUTHORITY\SYSTEM, limiting the impact of the DLL hijacking primitive obtained via the file-write flaw.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248585 OL 8 must require reauthentication when using the "sudo" command. via CWE-306
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-306
RHEL 7 (2 rules)
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-306
- V-237635 The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. via CWE-306
RHEL 8 (2 rules)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-306
- V-237643 RHEL 8 must require re-authentication when using the "sudo" command. via CWE-306