CVE-2026-25550: CWE-306 Missing Authentication for Critical Function in Seagull Software, LLC. BarTender 2010
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.
AI Analysis
Technical Summary
CVE-2026-25550 affects Seagull Software BarTender 2010, 2016, and 2019 through an unauthenticated remote code execution vulnerability in the .NET Remoting service (BtSystem.Service.exe) listening on TCP port 7375. The service registers an unauthenticated singleton endpoint (BarTenderSystem for 2016 <= R9, DataServiceSingleton for 2019 <= R10) configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, enabling unsafe deserialization. An attacker can exploit this to perform arbitrary file read/write operations or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server. The service runs under NT AUTHORITY\SYSTEM, which can lead to credential disclosure, remote code execution, or lateral movement depending on environment and privileges.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges, read or write arbitrary files on the server, and potentially disclose sensitive credentials via coerced NTLMv2 authentication. This can lead to full system compromise and lateral movement within the network. The CVSS 4.0 score is 9.3 (critical), reflecting the high impact and ease of exploitation without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict network access to TCP port 7375 to trusted hosts only and consider disabling the .NET Remoting service if not required. Monitor for unusual activity related to BarTender services. Do not rely on generic mitigations; follow vendor instructions once published.
CVE-2026-25550: CWE-306 Missing Authentication for Critical Function in Seagull Software, LLC. BarTender 2010
Description
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM.
CVSS v4.0
Score 9.3critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-25550 affects Seagull Software BarTender 2010, 2016, and 2019 through an unauthenticated remote code execution vulnerability in the .NET Remoting service (BtSystem.Service.exe) listening on TCP port 7375. The service registers an unauthenticated singleton endpoint (BarTenderSystem for 2016 <= R9, DataServiceSingleton for 2019 <= R10) configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, enabling unsafe deserialization. An attacker can exploit this to perform arbitrary file read/write operations or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server. The service runs under NT AUTHORITY\SYSTEM, which can lead to credential disclosure, remote code execution, or lateral movement depending on environment and privileges.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges, read or write arbitrary files on the server, and potentially disclose sensitive credentials via coerced NTLMv2 authentication. This can lead to full system compromise and lateral movement within the network. The CVSS 4.0 score is 9.3 (critical), reflecting the high impact and ease of exploitation without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict network access to TCP port 7375 to trusted hosts only and consider disabling the .NET Remoting service if not required. Monitor for unusual activity related to BarTender services. Do not rely on generic mitigations; follow vendor instructions once published.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-02T20:12:33.395Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a21ba77e29bf47b50be41f6
Added to database: 6/4/2026, 5:48:39 PM
Last enriched: 6/4/2026, 6:03:38 PM
Last updated: 6/4/2026, 6:49:37 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.