Cyber Posture

CVE-2026-23751

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly…

more

known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.

Mitigating Controls (NIST 800-53 r5)AI

CM-7 Least Functionality good match
prevent

Restricting systems to least functionality eliminates the unnecessary deprecated .NET Remoting channel on port 2424, preventing unauthenticated remote exploitation.

SC-7 Boundary Protection good match
prevent

Boundary protection controls network communications to block unauthorized inbound access to the exposed unauthenticated HTTP channel on port 2424.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, directly prohibiting unauthenticated access to critical Remoting functions enabling file operations and code execution.

Security SummaryAI

CVE-2026-23751 affects Kofax Capture, now referred to as Tungsten Capture, specifically version 6.0.0.0, with other versions potentially vulnerable. The vulnerability stems from the Ascent Capture Service exposing a deprecated .NET Remoting HTTP channel on port 2424, which is accessible without authentication and uses a default, publicly known endpoint identifier. This misconfiguration enables exploitation through .NET Remoting object unmarshalling techniques, as scored at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and linked to CWEs-306 (Missing Authentication for Critical Function) and CWE-441 (Unintended Proxy or Intermediary).

An unauthenticated remote attacker can exploit this by instantiating a remote System.Net.WebClient object via the exposed channel. This allows reading arbitrary files from the server filesystem, writing attacker-controlled files to the server, or coercing NTLMv2 authentication to an attacker-controlled host. Depending on the privileges of the service account and the network environment, successful exploitation can lead to sensitive credential disclosure, denial of service, remote code execution, or lateral movement.

Advisories and resources, including the Tungsten Automation documentation, a GitHub gist detailing the issue, and a VulnCheck advisory, provide additional technical details on the vulnerability, such as proof-of-concept exploitation steps for file read/write and SMB coercion via .NET Remoting. Practitioners should consult these for guidance on identification and potential workarounds, as no specific patch details are outlined in the core CVE information.

Details

CWE(s)
CWE-306CWE-441

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack.mitre.org →
Why these techniques?

T1190 for unauthenticated exploitation of public-facing .NET Remoting service; T1005 for arbitrary file reads; T1105 for writing attacker-controlled files; T1187 for NTLMv2 authentication coercion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References