PT-2026-54909 · Pacsgear · Pacsgear Mediawriter
Jan A. Rodriguez
+1
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-58127
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PACSgear MediaWriter version 5.2.1
Description
An unauthenticated remote attacker can read and write arbitrary files on the host filesystem by exploiting a .NET Remoting TCP service exposed on port 9000 via
PacsgearMediaServerEngine.dll. This is possible because the service is registered with ObjectURIs RemoteObj and UIRemoteObj without authentication requirements. The attack utilizes the MarshalByRefObject object unmarshalling technique and .NET WebClient class methods. Furthermore, chaining the arbitrary file write capability with DLL hijacking in the MediaWriter service—which runs as NT AuthoritySYSTEM and loads missing DLLs like CRYPTBASE.DLL from the application directory—allows for remote code execution as SYSTEM upon service restart.Recommendations
Update PACSgear MediaWriter version 5.2.1 to a patched version.
Exploit
Fix
RCE
Deserialization of Untrusted Data
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pacsgear Mediawriter