CVE-2026-26222 affects Altec DocLink version 4.0.336.0, maintained by Beyond Limits Inc., and involves insecure exposure of .NET Remoting endpoints via the Altec.RDCHostService.exe process. The service listens on TCP and HTTP/SOAP interfaces using the ObjectURI "doclinkServer.soap" and does not require any authentication, making it accessible to unauthenticated remote attackers. The core issue is unsafe deserialization (CWE-502) of untrusted data, allowing attackers to manipulate the object unmarshalling process. This flaw enables reading arbitrary files on the server by specifying local file paths, which can lead to sensitive data disclosure. Additionally, attackers can coerce SMB authentication by referencing UNC paths, potentially capturing credentials or performing relay attacks. More critically, the vulnerability allows writing arbitrary files to server locations. Since some writable directories may be served by IIS, attackers can place malicious files that lead to unauthenticated remote code execution or cause denial of service by overwriting critical files. The vulnerability also relates to CWE-918 (Server-Side Request Forgery), as the attacker can force the server to make SMB authentication requests. The CVSS 4.0 vector indicates network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the severity and ease of exploitation make this a critical threat requiring immediate attention.

The vulnerability poses a severe risk to organizations using Altec DocLink 4.0.336.0, potentially leading to full system compromise. Confidentiality is at risk due to arbitrary file reading, exposing sensitive documents and credentials. Integrity is compromised by the ability to write arbitrary files, enabling attackers to implant backdoors or modify application behavior. Availability can be disrupted through denial of service by overwriting essential files. The unauthenticated nature of the exploit broadens the attack surface, allowing remote attackers to compromise systems without any prior access. Organizations relying on Altec DocLink for document management, especially those exposing the service to untrusted networks, face risks of data breaches, ransomware deployment, and operational disruption. The ability to coerce SMB authentication also raises concerns about credential theft and lateral movement within networks. Given the critical CVSS score and the nature of the vulnerability, the impact is potentially devastating for affected enterprises.

Immediate mitigation steps include restricting network access to the Altec DocLink service endpoints by implementing firewall rules that limit access to trusted internal IP addresses only. Disable or block the .NET Remoting endpoints if not required, or configure the service to require strong authentication and encryption. Since no official patches are currently listed, organizations should contact Beyond Limits Inc. for updates or workarounds. Monitor network traffic for unusual SMB authentication attempts or unexpected file writes to IIS directories. Employ application-layer firewalls or intrusion detection systems to detect and block exploitation attempts targeting the ObjectURI "doclinkServer.soap". Conduct thorough audits of server file systems and IIS web directories for unauthorized changes. As a longer-term measure, consider isolating the Altec DocLink server in a segmented network zone with strict access controls. Regularly review and update security policies to prevent exposure of legacy or insecure services. Finally, prepare incident response plans to quickly contain and remediate any exploitation.