Skip to main content
Mallory
Back to vulnerabilities
Critical

Unauthenticated RCE in Seagull Software BarTender .NET Remoting Service

IdentifiersCVE-2026-25550CWE-502· Deserialization of Untrusted Data

CVE-2026-25550 is an unauthenticated remote code execution vulnerability affecting Seagull Software BarTender 2010, 2016, and 2019. The issue resides in the .NET Remoting service exposed by BtSystem.Service.exe on TCP port 7375. In affected versions, the service registers an unauthenticated singleton endpoint — BarTenderSystem in BarTender 2016 up to R9, and DataServiceSingleton in BarTender 2019 up to R10 — using BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full. This unsafe .NET Remoting configuration permits attacker-controlled object unmarshalling/deserialization over the network without authentication. A remote attacker can abuse the exposed remoting interface to invoke gadget behavior such as use of the .NET WebClient class to read or write arbitrary files on the server, or supply a UNC path to trigger outbound authentication to an attacker-controlled host. Because the vulnerable service runs as NT AUTHORITY\SYSTEM, successful exploitation can lead to full system compromise depending on the reachable gadget paths and environment.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an unauthenticated remote attacker to perform high-impact actions against the BarTender host. Reported outcomes include arbitrary file read and write on the server, coercion of NTLMv2 authentication to attacker-controlled infrastructure, disclosure of sensitive credentials or reusable hashes, and remote code execution. Because BtSystem.Service.exe runs as NT AUTHORITY\SYSTEM, compromise can occur with SYSTEM-level privileges, substantially increasing the severity and enabling follow-on actions such as persistence, credential theft, lateral movement, and broader domain compromise depending on the service account privileges and surrounding network environment.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed release is deployed, restrict or block inbound access to TCP port 7375 from untrusted networks and limit exposure to only explicitly authorized management hosts. Disable or isolate the vulnerable .NET Remoting service where operationally feasible. Prevent outbound SMB/UNC access from the BarTender host to attacker-controlled systems to reduce NTLM coercion risk. Apply host and network firewall rules, segmentation, and service isolation controls. Monitor for unexpected connections from the BarTender server to remote SMB shares and for suspicious activity involving BtSystem.Service.exe.

Remediation

Patch, then assume compromise.

Upgrade BarTender to a vendor-fixed release, if available. Remove or replace the vulnerable .NET Remoting exposure in BtSystem.Service.exe, specifically eliminating unauthenticated singleton endpoints and unsafe BinaryServerFormatterSinkProvider configurations with TypeFilterLevel set to Full. Update affected BarTender 2016 and 2019 deployments to releases that no longer expose the vulnerable remoting endpoints on TCP port 7375. Where product architecture permits, retire legacy .NET Remoting usage in favor of authenticated and hardened IPC/RPC mechanisms.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-25550
NVD
nvd.nist.gov/vuln/detail/CVE-2026-25550
MITRE CWE · CWE-502
Deserialization of Untrusted Data
portal.seagullscientific.com
portal.seagullscientific.com/downloads/bartender
vulncheck.com
vulncheck.com/advisories/seagull-software-bartender-unauthenticated-rce-via-net-remoting-service