Cyber Posture

CVE-2026-26222

CriticalPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0116 78.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling, allowing remote…

more

attackers to read arbitrary files from the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the unsafe object unmarshalling vulnerability (CWE-502) and lack of authentication in Altec.RDCHostService.exe by identifying, reporting, and applying vendor patches.

SC-7 Boundary Protection good match
prevent

Monitors and controls communications at system boundaries to restrict network access to the exposed unauthenticated .NET Remoting endpoints over TCP and HTTP/SOAP.

SI-10 Information Input Validation partial match
prevent

Validates untrusted inputs to the remoting service to mitigate unsafe deserialization payloads that enable arbitrary file read/write and SSRF (CWE-918).

Security SummaryAI

CVE-2026-26222 affects Altec DocLink version 4.0.336.0, now maintained by Beyond Limits Inc., where the component Altec.RDCHostService.exe exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP using the ObjectURI "doclinkServer.soap". These endpoints operate without authentication and are vulnerable to unsafe object unmarshalling, associated with CWE-502 (Deserialization of Untrusted Data) and CWE-918 (Server-Side Request Forgery). The vulnerability enables remote file read and write operations on the underlying system.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can read arbitrary files by specifying local file paths and coerce SMB authentication using UNC paths. They can also write arbitrary files to server locations, potentially leading to remote code execution or denial of service if writable paths are web-accessible under IIS configurations.

Advisories provide further details on the issue, including at https://www.vulncheck.com/advisories/doclink-net-remoting-unauthenticated-arbitrary-file-read-write-rce and https://doclinkai.com/. Security practitioners should consult these for recommended mitigations, such as restricting network access to the affected endpoints or applying any available patches from the vendor.

Details

CWE(s)
CWE-502CWE-918NVD-CWE-noinfo

Affected Products

beyond
altec doclink
4.0.336.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated remote exploitation of a public-facing .NET Remoting service (T1190), directly enabling arbitrary file reads from the local system (T1005) and SMB authentication coercion via UNC paths (T1187).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References