The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23746

CVE-2026-23746: Entrust IFI .NET Remoting RCE Flaw

CVE-2026-23746 is a remote code execution vulnerability in Entrust Instant Financial Issuance software affecting the SmartCardController service. Attackers can exploit insecure .NET Remoting to execute code remotely.

Published: January 23, 2026

CVE-2026-23746 Overview

CVE-2026-23746 is a critical remote code execution vulnerability affecting Entrust Instant Financial Issuance (IFI) On Premise software, formerly known as CardWizard. The vulnerability exists in the SmartCardController service (DCG.SmartCardControllerService.exe), which registers a TCP remoting channel with unsafe formatter and configuration settings that permit untrusted remoting object invocation. This insecure .NET Remoting exposure allows remote, unauthenticated attackers to invoke exposed remoting objects, enabling arbitrary file read operations, outbound authentication coercion, and potentially arbitrary file write and remote code execution through well-known .NET Remoting exploitation techniques.

Critical Impact

This vulnerability enables unauthenticated remote attackers to achieve full system compromise through arbitrary file operations and remote code execution, potentially exposing sensitive financial card issuance data and service account credentials.

Affected Products

  • Entrust Instant Financial Issuance (IFI) On Premise software versions 5.x
  • Entrust IFI On Premise versions prior to 6.10.5
  • Entrust IFI On Premise versions prior to 6.11.1

Discovery Timeline

  • 2026-01-15 - CVE CVE-2026-23746 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-23746

Vulnerability Analysis

The vulnerability stems from the SmartCardController service's use of insecure .NET Remoting configuration. The service exposes a TCP remoting channel that allows remote clients to invoke methods on server-side objects without proper authentication or authorization checks. This is classified as CWE-306 (Missing Authentication for Critical Function), where a critical system function—remote object invocation—lacks the necessary authentication mechanisms to restrict access to authorized users only.

The .NET Remoting framework, when configured with unsafe formatter settings, permits deserialization of arbitrary objects from remote clients. This creates a dangerous attack surface where an attacker can craft malicious serialized objects that, when deserialized by the server, can execute arbitrary code within the context of the service process. The SmartCardController service runs with elevated privileges to manage smart card operations, meaning successful exploitation grants the attacker those same elevated privileges on the target system.

Root Cause

The root cause of CVE-2026-23746 is the insecure configuration of the .NET Remoting channel in the SmartCardController service. Specifically, the service uses TypeFilterLevel.Full or equivalent unsafe formatter settings that allow unrestricted type deserialization. Combined with the absence of authentication requirements for remoting connections, this creates a perfect storm for remote exploitation. The service binds to a network-accessible TCP port without implementing channel-level security, IP filtering, or mutual authentication between clients and the server.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker who can reach the TCP port used by the SmartCardController service can initiate a .NET Remoting connection and invoke exposed methods on registered remote objects. The exploitation typically follows these stages:

  1. Reconnaissance: Identify systems running the vulnerable SmartCardController service and determine the TCP port
  2. Connection: Establish a .NET Remoting TCP channel connection to the target
  3. Object Invocation: Invoke exposed remoting objects to perform initial operations such as arbitrary file reads
  4. Escalation: Leverage known .NET Remoting deserialization gadgets to achieve arbitrary code execution
  5. Post-Exploitation: Access sensitive financial card issuance data, extract service account credentials, or establish persistent access

The vulnerability can be exploited using existing .NET Remoting exploitation tools and techniques documented in security research. Attackers can read arbitrary files from the server to extract configuration data and credentials, coerce the service to authenticate to attacker-controlled systems (NTLM relay attacks), and ultimately execute arbitrary code on the compromised host.

Detection Methods for CVE-2026-23746

Indicators of Compromise

  • Unexpected network connections to the SmartCardController service TCP port from external or untrusted IP addresses
  • Anomalous file access patterns from DCG.SmartCardControllerService.exe, particularly reads of sensitive system files or configuration files outside normal operational scope
  • NTLM authentication attempts originating from the service account to external or unexpected destinations
  • Unexpected child processes spawned by DCG.SmartCardControllerService.exe

Detection Strategies

  • Monitor network traffic for .NET Remoting protocol signatures connecting to the SmartCardController service port
  • Implement file integrity monitoring on critical system directories and the IFI installation folder to detect unauthorized file access or modifications
  • Configure Windows Security Event logging to capture process creation events (Event ID 4688) with command line auditing enabled for the SmartCardController service
  • Deploy endpoint detection rules to identify known .NET deserialization attack payloads and gadget chains

Monitoring Recommendations

  • Enable verbose logging on the SmartCardController service if supported and forward logs to a centralized SIEM
  • Monitor for unusual outbound connections from servers hosting the IFI software, particularly SMB traffic that could indicate NTLM relay attempts
  • Implement network segmentation monitoring to detect lateral movement attempts following potential exploitation

How to Mitigate CVE-2026-23746

Immediate Actions Required

  • Upgrade Entrust IFI On Premise software to version 6.10.5 or 6.11.1 or later immediately
  • If immediate patching is not possible, isolate affected systems by restricting network access to the SmartCardController service port using firewall rules
  • Review service account permissions and apply principle of least privilege to minimize post-exploitation impact
  • Audit system logs and network traffic for any indicators of prior exploitation

Patch Information

Entrust has released patched versions of the Instant Financial Issuance On Premise software that address this vulnerability. Organizations running version 5.x should upgrade to version 6.10.5 or 6.11.1 or later. Detailed patch information and download links are available through the Entrust Advisory on .NET Remoting Vulnerabilities. Additional technical analysis is available from VulnCheck's Advisory on Entrust RCE.

Workarounds

  • Implement strict network access controls to limit connectivity to the SmartCardController service port to only authorized management workstations
  • Deploy host-based firewall rules on affected servers to block incoming connections to the remoting port from untrusted networks
  • Consider disabling the SmartCardController service temporarily if card issuance operations can be suspended during the patching window
  • Enable Windows Defender Credential Guard to mitigate NTLM relay attack vectors
bash
# Example Windows Firewall rule to restrict access to SmartCardController service
# Replace PORT_NUMBER with the actual remoting port and TRUSTED_IP with management subnet
netsh advfirewall firewall add rule name="Block SmartCardController Remoting" dir=in protocol=tcp localport=PORT_NUMBER action=block
netsh advfirewall firewall add rule name="Allow SmartCardController from Trusted" dir=in protocol=tcp localport=PORT_NUMBER remoteip=TRUSTED_IP action=allow

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechEntrust
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.66%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-306
  • Technical References
  • Entrust Advisory on NET Remoting Vulnerabilities
  • Entrust Financial Card Issuance Overview
  • VulnCheck Advisory on Entrust RCE
  • Latest CVEs
  • CVE-2026-35467: Browser API Key Information Disclosure
  • CVE-2026-35466: cveInterface.js XSS Vulnerability
  • CVE-2026-30252: ZenShare Suite XSS Vulnerability
  • CVE-2026-30251: ZenShare Suite v17.0 XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English