Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23751

CVE-2026-23751: Tungsten Capture Auth Bypass Vulnerability

CVE-2026-23751 is an authentication bypass vulnerability in Tungsten Capture (formerly Kofax Capture) that exposes a .NET Remoting channel, allowing remote file access and code execution. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-23751 Overview

CVE-2026-23751 affects Kofax Capture, now rebranded as Tungsten Capture, version 6.0.0.0 and potentially other versions. The Ascent Capture Service exposes a deprecated .NET Remoting HTTP channel on port 2424 without authentication. The endpoint uses a default, publicly known identifier, allowing remote attackers to invoke remoting objects directly. By abusing .NET Remoting object unmarshalling, attackers can instantiate a remote System.Net.WebClient and read or write arbitrary files. The same primitive enables NTLMv2 authentication coercion against attacker-controlled hosts. The flaw is classified under [CWE-306] Missing Authentication for Critical Function.

Critical Impact

Unauthenticated remote attackers can read arbitrary files, write attacker-controlled files, coerce NTLMv2 authentication, and achieve remote code execution or lateral movement depending on service account privileges.

Affected Products

  • Kofax Capture (Tungsten Capture) version 6.0.0.0
  • Other versions of Kofax Capture / Tungsten Capture may be affected
  • Ascent Capture Service listening on TCP port 2424

Discovery Timeline

  • 2026-04-23 - CVE-2026-23751 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-23751

Vulnerability Analysis

The Ascent Capture Service in Kofax/Tungsten Capture binds a .NET Remoting HTTP channel to TCP port 2424. .NET Remoting is a legacy Microsoft inter-process communication framework that Microsoft deprecated in favor of WCF. The service exposes a remoting endpoint identifier that is publicly documented and constant across installations. No authentication, signing, or channel encryption guards the endpoint. Remote callers can therefore enumerate exposed objects and invoke methods on them as if they were local.

The attack abuses .NET Remoting object unmarshalling. An attacker sends a crafted SOAP or binary remoting message referencing an arbitrary server-side type. The runtime instantiates the requested object inside the service process. By targeting System.Net.WebClient, the attacker gains primitives to download remote content into the service process and write local files via DownloadFile, or read files via UploadFile and DownloadString against UNC paths. Because the service runs with its configured Windows service account, attackers inherit those privileges.

Root Cause

The root cause is missing authentication on a critical function combined with use of a known-insecure IPC technology. Microsoft has documented that .NET Remoting endpoints must never be exposed to untrusted networks because unmarshalling allows arbitrary type instantiation. The vendor shipped the service with a default, well-known URI and no authentication layer.

Attack Vector

The attack vector is network-based with no privileges and no user interaction required. An attacker with TCP reachability to port 2424 sends a remoting request that unmarshals a System.Net.WebClient instance. The attacker then calls methods on that object to read files from the local filesystem, write files into directories writable by the service account, or trigger outbound SMB connections to attacker infrastructure. Outbound SMB callbacks expose NTLMv2 hashes of the service account, which attackers can relay or crack offline. Refer to the VulnCheck Security Advisory and the GitHub Gist Script for proof-of-concept tooling.

Detection Methods for CVE-2026-23751

Indicators of Compromise

  • Inbound TCP connections to port 2424 on Kofax/Tungsten Capture servers from unexpected sources
  • Outbound SMB (TCP 445) traffic from the Ascent Capture Service process to non-corporate destinations
  • Unexpected file writes or reads performed by the Ascent Capture Service account in sensitive directories
  • NTLM authentication events originating from the Capture server toward unknown external hosts

Detection Strategies

  • Inspect process telemetry for the Ascent Capture Service spawning child processes or loading System.Net.WebClient calls against UNC paths
  • Alert on .NET Remoting SOAP requests containing __RequestUri or MethodCall payloads targeting port 2424
  • Correlate inbound traffic to 2424 with subsequent outbound SMB or HTTP connections from the same host

Monitoring Recommendations

  • Forward Windows Security event ID 4624 and 4648 logon events from Capture servers to a SIEM
  • Capture NetFlow or zeek logs for any traffic to TCP 2424 and baseline expected client subnets
  • Monitor file system auditing on directories accessible to the Ascent Capture Service account

How to Mitigate CVE-2026-23751

Immediate Actions Required

  • Block TCP port 2424 at host and network firewalls from all untrusted networks immediately
  • Restrict the Ascent Capture Service to listen only on management interfaces or loopback where feasible
  • Run the Ascent Capture Service under a least-privileged local account, not a domain or SYSTEM account
  • Enable SMB signing and disable outbound SMB to the internet to limit NTLMv2 relay impact

Patch Information

No vendor patch is referenced in the published advisory at the time of NVD publication. Consult the Tungsten Automation Documentation and the VulnCheck Security Advisory for vendor updates and supported upgrade paths.

Workarounds

  • Segment Capture servers into a dedicated VLAN with strict ingress rules limiting access to authorized workstations
  • Disable or remove the deprecated .NET Remoting HTTP channel if the deployment does not require it
  • Apply host-based firewall rules to permit port 2424 only from specific administrative hosts
  • Deploy egress filtering to block outbound SMB and WebDAV from Capture servers to untrusted destinations
bash
# Configuration example: Windows host firewall rule restricting port 2424
netsh advfirewall firewall add rule name="Block Ascent Capture Remoting" ^
  dir=in action=block protocol=TCP localport=2424 remoteip=any

# Allow only a specific admin subnet
netsh advfirewall firewall add rule name="Allow Ascent Capture Admin" ^
  dir=in action=allow protocol=TCP localport=2424 remoteip=10.10.20.0/24

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne