CVE-2026-23746 is a critical security vulnerability affecting Entrust Corporation's Instant Financial Issuance (IFI) On Premise software, specifically versions 5.x and 6.0 prior to 6.10.5 and 6.11.1. The vulnerability stems from an insecure configuration of the .NET Remoting channel used by the SmartCardController service (DCG.SmartCardControllerService.exe). This service registers a TCP remoting channel with unsafe formatter settings that allow untrusted remote object invocation without any authentication. As a result, a remote attacker who can reach the remoting port can invoke exposed remoting objects to perform unauthorized actions. These include reading arbitrary files from the server, coercing outbound authentication mechanisms, and potentially writing arbitrary files or executing code remotely by leveraging known .NET Remoting exploitation techniques. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-502 (Deserialization of Untrusted Data), highlighting the lack of authentication and unsafe deserialization as root causes. The CVSS 4.0 score of 9.3 indicates a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability poses a severe risk of full system compromise and sensitive data disclosure, including service account credentials and installation details. Entrust IFI is used primarily in financial environments for instant issuance of payment cards, making this vulnerability particularly dangerous in contexts where financial data and transactions are involved.

For European organizations, especially those in the financial sector using Entrust IFI On Premise software, this vulnerability presents a critical risk. Exploitation can lead to unauthorized disclosure of sensitive financial and operational data, including service account credentials and installation configurations. The ability to execute arbitrary code remotely can result in full system compromise, enabling attackers to manipulate card issuance processes, disrupt financial operations, or move laterally within the network. This could cause significant financial losses, regulatory non-compliance, reputational damage, and operational downtime. Given the critical nature of financial services in Europe and the reliance on secure card issuance, the impact extends beyond individual organizations to potentially affect customers and partners. Additionally, the lack of authentication and ease of exploitation increase the likelihood of targeted attacks or opportunistic exploitation by cybercriminals or state-sponsored actors. The absence of known exploits in the wild currently provides a window for proactive mitigation but does not reduce the urgency of addressing the vulnerability.

1. Immediate patching: Upgrade Entrust IFI On Premise software to version 6.10.5 or later, where the vulnerability is fixed. 2. Network segmentation: Restrict access to the SmartCardController remoting port using firewalls or network access controls to limit exposure only to trusted management systems. 3. Monitoring and detection: Implement logging and monitoring on the affected service and network ports to detect anomalous or unauthorized remoting invocations. 4. Access controls: Enforce strict access policies on systems hosting Entrust IFI, including multi-factor authentication for administrative access and least privilege principles. 5. Incident response readiness: Prepare for potential exploitation by having incident response plans and forensic capabilities in place to quickly identify and contain breaches. 6. Vendor coordination: Engage with Entrust Corporation for guidance, updates, and support regarding this vulnerability and any related advisories. 7. Code review and configuration audit: Review the deployment configuration to ensure no other insecure remoting or deserialization settings exist. 8. Consider network-level encryption and authentication mechanisms to protect remoting channels if upgrading is delayed.