CVE-2026-21665 Overview
The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) contains an insecure deserialization vulnerability in its deprecated .NET Remoting TCP channels. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution by sending maliciously crafted serialized objects. This vulnerability specifically affects client-hosted deployments running legacy, unsupported versions with .NET Remoting ports exposed beyond trusted network boundaries—a configuration that is neither default nor supported.
Critical Impact
Unauthenticated remote code execution is possible when .NET Remoting service ports are exposed to untrusted networks, allowing attackers to fully compromise affected systems.
Affected Products
- Fiserv Originate Loans Peripherals version 2021.2.4 (build 4.7.3155.0011)
- Fiserv Velocity Services (legacy name) - unsupported versions
- Client-hosted deployments with .NET Remoting ports exposed to untrusted networks
Discovery Timeline
- 2026-02-23 - CVE-2026-21665 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-21665
Vulnerability Analysis
This vulnerability stems from the use of deprecated .NET Remoting TCP channels that perform unsafe deserialization of untrusted data. .NET Remoting, which Microsoft has officially marked as obsolete in .NET 5.0 and later, inherently lacks modern security controls for data validation during the deserialization process. When a service accepts serialized objects over the network without proper authentication or input validation, attackers can craft malicious payloads that execute arbitrary code upon deserialization.
The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which represents a critical class of security flaws where applications deserialize data from untrusted sources without adequate verification. In this case, the Print Service component accepts TCP connections and deserializes incoming data streams, trusting the content implicitly.
It is important to note that this finding applies specifically to client-hosted deployments running unsupported legacy versions. Fiserv-hosted environments are not affected by this vulnerability.
Root Cause
The root cause lies in the continued use of .NET Remoting technology in legacy versions of the software. .NET Remoting was designed for trusted intranet environments and provides no built-in mechanism to verify the integrity or safety of deserialized objects. The TcpChannel and BinaryFormatter classes used by the Print Service component will deserialize any well-formed object stream, including those containing gadget chains that achieve code execution through legitimate .NET framework classes.
Microsoft has explicitly documented that .NET Remoting APIs are obsolete and should not be used for new development, recommending alternatives such as WCF, gRPC, or direct socket communication with secure serialization formats.
Attack Vector
The attack requires network access to the .NET Remoting TCP port exposed by the Print Service component. An unauthenticated attacker can connect to this port and transmit a specially crafted serialized payload containing a deserialization gadget chain. Common gadget chains exploit legitimate .NET framework classes that perform dangerous operations during deserialization, such as ObjectDataProvider, TypeConfuseDelegate, or ActivitySurrogateSelector.
When the Print Service deserializes the malicious payload, the embedded gadget chain triggers execution of attacker-controlled code with the privileges of the service account. Because the attack requires no authentication and can be performed remotely over the network, it poses a significant risk when service ports are accessible from untrusted network segments.
The attack complexity is affected by the requirement that .NET Remoting ports must be exposed beyond trusted network boundaries—a misconfiguration that violates Fiserv's deployment guidelines.
Detection Methods for CVE-2026-21665
Indicators of Compromise
- Unexpected inbound TCP connections to .NET Remoting service ports from external IP addresses
- Process execution anomalies from the Print Service component, such as spawning child processes like cmd.exe, powershell.exe, or certutil.exe
- Unusual network traffic patterns including outbound connections initiated by the Print Service to external hosts
- Presence of known deserialization gadget chain signatures in network traffic or memory dumps
Detection Strategies
- Monitor network traffic for .NET Remoting protocol patterns on unexpected ports or from untrusted source addresses
- Implement endpoint detection rules to alert on suspicious process creation events where the Print Service spawns command interpreters or script engines
- Deploy network intrusion detection signatures for known .NET deserialization exploitation payloads
- Configure application whitelisting to prevent unauthorized executables from running under the Print Service context
Monitoring Recommendations
- Enable detailed logging on the Print Service component and forward logs to a SIEM for correlation analysis
- Implement network segmentation monitoring to detect traffic crossing trust boundaries to .NET Remoting ports
- Deploy honeypot services mimicking .NET Remoting endpoints to detect reconnaissance and exploitation attempts
- Establish baseline behavior profiles for the Print Service and alert on statistical anomalies
How to Mitigate CVE-2026-21665
Immediate Actions Required
- Upgrade to Fiserv Originate Loans Peripherals version 2025.1 or later, which uses modern, secure communication mechanisms
- Implement firewall rules to restrict .NET Remoting service ports to trusted network segments only
- Audit network configurations to ensure no .NET Remoting ports are exposed to untrusted networks or the internet
- If upgrade is not immediately possible, disable the Print Service component until network isolation is confirmed
Patch Information
Fiserv has discontinued support for version 2021.2.4 of Originate Loans Peripherals. Customers running this legacy version should upgrade to a currently supported release (2025.1 or later). The newer versions do not rely on deprecated .NET Remoting technology and implement secure communication channels. Contact Fiserv support for upgrade assistance and migration guidance.
For additional technical context on the deprecation of .NET Remoting, refer to the Microsoft Compatibility Documentation.
Workarounds
- Configure network firewalls to block all external access to .NET Remoting TCP ports, limiting connectivity to explicitly trusted internal hosts
- Implement network segmentation to isolate systems running the Print Service from untrusted network zones
- Deploy application-layer firewalls or proxies capable of inspecting and filtering .NET Remoting traffic
- Consider migrating to Fiserv-hosted deployment options, which are not affected by this vulnerability
# Example firewall rule to restrict .NET Remoting port access (Windows Firewall)
netsh advfirewall firewall add rule name="Block External .NET Remoting" dir=in action=block protocol=tcp localport=<REMOTING_PORT> remoteip=any
netsh advfirewall firewall add rule name="Allow Trusted .NET Remoting" dir=in action=allow protocol=tcp localport=<REMOTING_PORT> remoteip=<TRUSTED_SUBNET>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
