PT-2026-54909 · Pacsgear · Pacsgear Mediawriter

Jan A. Rodriguez

+1

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-58127

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions PACSgear MediaWriter version 5.2.1
Description An unauthenticated remote attacker can read and write arbitrary files on the host filesystem by exploiting a .NET Remoting TCP service exposed on port 9000 via PacsgearMediaServerEngine.dll. This is possible because the service is registered with ObjectURIs RemoteObj and UIRemoteObj without authentication requirements. The attack utilizes the MarshalByRefObject object unmarshalling technique and .NET WebClient class methods. Furthermore, chaining the arbitrary file write capability with DLL hijacking in the MediaWriter service—which runs as NT AuthoritySYSTEM and loads missing DLLs like CRYPTBASE.DLL from the application directory—allows for remote code execution as SYSTEM upon service restart.
Recommendations Update PACSgear MediaWriter version 5.2.1 to a patched version.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58127

Affected Products

Pacsgear Mediawriter