๐Ÿ” CVE Alert

CVE-2026-58127

CRITICAL 9.8

PACSgear MediaWriter 5.2.1 Unauthenticated RCE via .NET Remoting TCP Service

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

CWE CWE-306 CWE-502
Vendor hyland
Product pacsgear mediawriter
Published Jul 1, 2026
Last Updated Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for hyland pacsgear mediawriter

Be the first to know when new critical vulnerabilities affecting hyland pacsgear mediawriter are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Hyland / PACSgear MediaWriter
5.2.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
gist.github.com: https://gist.github.com/VAMorales/dc679ecab30b7045fa07bf3249a034d8 hyland.com: https://www.hyland.com/en/solutions/products/pacsgear vulncheck.com: https://www.vulncheck.com/advisories/pacsgear-mediawriter-unauthenticated-rce-via-net-remoting-tcp-service

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp Jan A. Rodriguez, Pentester, GM Sectec, Corp.