CVE-2026-23746 is a critical security vulnerability affecting Entrust Corporation's Instant Financial Issuance (IFI) On Premise software, specifically versions 5.x and 6.0 prior to 6.10.5 and 6.11.1. The flaw resides in the SmartCardController service (DCG.SmartCardControllerService.exe), which uses .NET Remoting with insecure formatter settings and an exposed TCP remoting channel. This misconfiguration allows unauthenticated remote attackers to invoke remoting objects arbitrarily. Exploiting this vulnerability enables attackers to read arbitrary files from the server, coerce the service into performing outbound authentication, and potentially write arbitrary files or execute remote code using known .NET Remoting exploitation techniques. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function) and CWE-502 (Deserialization of Untrusted Data), indicating that critical functions lack proper authentication and that unsafe deserialization mechanisms are in use. The absence of authentication and the network-exposed remoting channel make exploitation straightforward for attackers with network access to the remoting port. The impact includes disclosure of sensitive installation and service-account data, full system compromise, and potential lateral movement within the network. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patches are currently linked, so affected organizations must prioritize mitigation and monitoring.

For European organizations, especially those in the financial sector using Entrust IFI On Premise software, this vulnerability poses a severe risk. Exploitation can lead to unauthorized disclosure of sensitive financial card issuance data, including service account credentials and installation details, potentially enabling further attacks or fraud. Remote code execution could allow attackers to take full control of affected servers, disrupt financial issuance operations, and compromise the integrity of issued financial instruments. This could result in significant financial losses, regulatory penalties under GDPR for data breaches, reputational damage, and operational downtime. Given the critical nature of financial services in Europe and Entrust's market presence, the vulnerability could be leveraged in targeted attacks against banks, payment processors, and government agencies involved in financial card issuance. The lack of authentication and ease of exploitation increase the likelihood of successful attacks if the remoting port is exposed or accessible within internal networks.

1. Immediately upgrade Entrust IFI On Premise software to version 6.10.5 or later, or 6.11.1 or later, where the vulnerability is addressed. 2. If patching is not immediately possible, restrict network access to the SmartCardController service remoting port using firewalls or network segmentation to limit exposure to trusted hosts only. 3. Implement strict network-level access controls and monitoring to detect unusual remoting activity or unauthorized connections to the remoting port. 4. Disable or reconfigure .NET Remoting channels to use secure formatters and enforce authentication mechanisms to prevent unauthenticated invocation of remoting objects. 5. Conduct thorough audits of service accounts and credentials to identify potential compromise and rotate credentials if suspicious activity is detected. 6. Employ endpoint detection and response (EDR) tools to monitor for signs of exploitation or anomalous process behavior on servers running the affected service. 7. Review and harden deserialization processes in custom code if applicable to prevent exploitation of unsafe deserialization vulnerabilities. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.