{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23751", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-15T18:42:20.938Z", "datePublished": "2026-04-23T14:46:12.638Z", "dateUpdated": "2026-04-25T01:20:38.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-23T14:46:12.638Z"}, "title": "Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE"}]}], "affected": [{"vendor": "Tungsten Automation", "product": "Kofax Capture", "versions": [{"status": "affected", "version": "6.0.0.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.<br>"}]}], "references": [{"url": "https://gist.github.com/VAMorales/3888941d6e5efdd4b2e673e999f68ca2", "tags": ["technical-description", "exploit"]}, {"url": "https://docshield.tungstenautomation.com/Portal/Products/en_US/KC/11.1.0-40hy9nfk91/KC.htm", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/kofax-capture-unauthenticated-file-read-write-smb-coercion-via-net-remoting", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "timeline": [{"time": "2025-12-18T19:00:00.000Z", "lang": "en", "value": "The VulnCheck CNA conducted initial outreach to Tungsten Automation, thus initiating our 120-day disclosure timeline."}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:20:25.743838Z", "id": "CVE-2026-23751", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:20:38.886Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23751", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-15T18:42:20.938Z", "datePublished": "2026-04-23T14:46:12.638Z", "dateUpdated": "2026-04-25T01:20:38.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-23T14:46:12.638Z"}, "title": "Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE"}]}], "affected": [{"vendor": "Tungsten Automation", "product": "Kofax Capture", "versions": [{"status": "affected", "version": "6.0.0.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.<br>"}]}], "references": [{"url": "https://gist.github.com/VAMorales/3888941d6e5efdd4b2e673e999f68ca2", "tags": ["technical-description", "exploit"]}, {"url": "https://docshield.tungstenautomation.com/Portal/Products/en_US/KC/11.1.0-40hy9nfk91/KC.htm", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/kofax-capture-unauthenticated-file-read-write-smb-coercion-via-net-remoting", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "timeline": [{"time": "2025-12-18T19:00:00.000Z", "lang": "en", "value": "The VulnCheck CNA conducted initial outreach to Tungsten Automation, thus initiating our 120-day disclosure timeline."}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23751", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-25T01:20:25.743838Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:20:32.794Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment."}], "id": "CVE-2026-23751", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-23T16:16:24.463", "references": [{"source": "disclosure@vulncheck.com", "url": "https://docshield.tungstenautomation.com/Portal/Products/en_US/KC/11.1.0-40hy9nfk91/KC.htm"}, {"source": "disclosure@vulncheck.com", "url": "https://gist.github.com/VAMorales/3888941d6e5efdd4b2e673e999f68ca2"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/kofax-capture-unauthenticated-file-read-write-smb-coercion-via-net-remoting"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-441"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.0.0.0"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Kofax Capture", "source": "cna", "vendor": "Tungsten Automation"}, "product": "kofax_capture", "vendor": "tungstenautomation"}], "analysis": {"en": {"generated_at": "2026-04-28T07:36:16.273738+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch or upgrade to a version that disables or secures the .NET Remoting channel.", "Disable or block inbound traffic to TCP port 2424 so the remote channel cannot be reached.", "Restrict the privileges of the Kofax Capture service account to the minimum required for operation, limiting its ability to read/write sensitive files.", "Audit and monitor the filesystem and Windows authentication logs for unusual activity that could indicate exploitation of the vulnerable channel."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution and Sensitive Data Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kofax Capture (now called Tungsten Capture) version 6.0.0.0; other versions may also be impacted. The affected product is delivered by Tungsten Automation and configured with a .NET Remoting HTTP channel on port 2424. If your environment runs this version or earlier builds, it is likely susceptible.", "description_and_impact": "Kofax Capture 6.0.0.0 exposes a deprecated .NET Remoting HTTP channel on port 2424 that requires no authentication and uses a standard endpoint identifier. An attacker can exploit the channel\u2019s object unmarshalling to create a System.Net.WebClient instance, allowing arbitrary reading and writing of files on the server filesystem, or coercing NTLMv2 authentication to an attacker\u2011controlled host. This can result in data theft, denial\u2011of\u2011service, remote code execution, or lateral movement depending on the privileges of the service account. The flaw is grounded in CWE\u2011306 (Authentication Bypass) and CWE\u2011441 (Unrestricted Resource Manipulation of Files and Directories).", "risk_and_exploitability": "The CVSS base score of 9.3 classifies the issue as critical. The EPSS score of less than 1% indicates that, at present, attackers are unlikely to have exploited the flaw widely, and it is not listed in CISA\u2019s KEV catalog. Nevertheless, the vulnerability is exploitable from any network location that can reach port 2424, making it a high\u2011risk attack surface for organizations that expose Kofax Capture to the Internet or insecure internal networks. If compromised, an attacker can read or write any file the service account can access, pull NTLMv2 credentials, perform denial\u2011of\u2011service or execute arbitrary code on the host. The attack vector is a remote, unauthenticated HTTP session to the .NET Remoting endpoint. "}}}}, "created": "2026-04-27T21:30:13.623007+00:00", "updated": "2026-04-28T07:45:26.030963+00:00", "vendors": ["tungstenautomation", "tungstenautomation$PRODUCT$kofax_capture"]}