Cyber Posture

CVE-2026-26221

CriticalPublic PoC

Published: 13 February 2026

Published
13 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 70.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for…

more

Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the CVE by applying Hyland's security update OB2025-03 to eliminate the unsafe .NET Remoting object unmarshalling vulnerability.

SC-7 Boundary Protection good match
prevent

Prevents unauthenticated remote access by enforcing boundary protection to block traffic to vulnerable TCP/8900 endpoints such as TimerServiceAPI.rem and TimerServiceEvents.rem.

SI-10 Information Input Validation partial match
prevent

Addresses crafted .NET Remoting requests by validating external inputs to block unsafe object unmarshalling leading to arbitrary file read/write and RCE.

Security SummaryAI

CVE-2026-26221 is a critical vulnerability in Hyland OnBase, specifically affecting the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). It stems from an unauthenticated .NET Remoting exposure that allows attackers to send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900, such as TimerServiceAPI.rem and TimerServiceEvents.rem. This triggers unsafe object unmarshalling (CWE-502), enabling arbitrary file read and write operations. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-13.

Any unauthenticated attacker with network access to the affected service can exploit this vulnerability. Successful exploitation grants arbitrary file read/write capabilities, which can be leveraged to write attacker-controlled content into web-accessible locations or chained with other OnBase features to achieve remote code execution. Additionally, the file write primitive supports SMB coercion by supplying a UNC path, forcing the service to authenticate to an attacker-controlled host via outbound NTLM authentication.

Hyland has issued a security update bulletin (OB2025-03) detailing the issue in the OnBase Workflow Timer Service. Additional analysis is available from VulnCheck, which covers the unauthenticated .NET Remoting RCE. Practitioners should consult these advisories for patch information and mitigation guidance, including restricting network access to TCP/8900.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of public-facing service (T1190) enables arbitrary file reads (T1005), web shell deployment via file writes to web directories (T1505.003), and SMB coercion for NTLM relay attacks (T1557.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References