CVE-2026-23751 Overview
CVE-2026-23751 is a critical authentication bypass vulnerability affecting Kofax Capture (now known as Tungsten Capture). The vulnerability exists in the Ascent Capture Service, which exposes a deprecated .NET Remoting HTTP channel on port 2424 without requiring authentication. The service uses a default, publicly known endpoint identifier, allowing unauthenticated remote attackers to exploit .NET Remoting object unmarshalling techniques to instantiate remote objects and perform malicious operations.
An attacker exploiting this vulnerability can instantiate a remote System.Net.WebClient object to read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host. This can lead to sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
Critical Impact
Unauthenticated remote attackers can read/write arbitrary files, coerce NTLM authentication for credential theft, and potentially achieve remote code execution or lateral movement within the network.
Affected Products
- Kofax Capture version 6.0.0.0
- Tungsten Capture version 6.0.0.0
- Other versions may also be affected
Discovery Timeline
- April 23, 2026 - CVE-2026-23751 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23751
Vulnerability Analysis
This vulnerability stems from the use of deprecated .NET Remoting technology in the Ascent Capture Service. The service exposes an HTTP channel on TCP port 2424 that lacks authentication controls, representing a Missing Authentication for Critical Function weakness (CWE-306).
The .NET Remoting framework, which Microsoft deprecated due to inherent security concerns, allows remote object instantiation and method invocation across application boundaries. In this implementation, the service uses a publicly known default endpoint identifier, making it trivial for attackers to discover and connect to the vulnerable service.
Once connected, attackers can leverage .NET Remoting's object unmarshalling capabilities to instantiate arbitrary .NET objects on the server. By creating a System.Net.WebClient object remotely, attackers gain the ability to perform file system operations and network requests with the privileges of the service account running the Ascent Capture Service.
Root Cause
The root cause of this vulnerability is the Missing Authentication for Critical Function (CWE-306) in the Ascent Capture Service's .NET Remoting implementation. The service fails to implement any authentication mechanism on the exposed HTTP channel, and relies on a default, publicly known endpoint identifier that provides no security through obscurity. Additionally, the use of deprecated .NET Remoting technology, which has known security limitations regarding object deserialization and remote object instantiation, compounds the risk.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to TCP port 2424 can connect to the .NET Remoting endpoint and exploit the object unmarshalling functionality.
The exploitation process involves connecting to the unauthenticated .NET Remoting HTTP channel on port 2424, using the default endpoint identifier to establish a remoting session, instantiating a System.Net.WebClient object through .NET Remoting unmarshalling, and then using the instantiated object to perform one of several malicious actions: reading arbitrary files from the server filesystem, writing attacker-controlled content to the server, or coercing NTLMv2 authentication to capture credentials.
For detailed exploitation techniques, refer to the GitHub Gist Exploit Code and the VulnCheck Security Advisory.
Detection Methods for CVE-2026-23751
Indicators of Compromise
- Unexpected network connections to TCP port 2424 from external or unauthorized internal hosts
- .NET Remoting traffic patterns indicative of object instantiation requests to the Ascent Capture Service
- Unusual file read/write operations performed by the Ascent Capture Service process
- Outbound SMB authentication attempts from the server to external or unusual destinations indicating NTLM coercion
- Log entries showing System.Net.WebClient instantiation within the service context
Detection Strategies
- Monitor network traffic for connections to TCP port 2424 from untrusted sources using network intrusion detection systems
- Implement endpoint detection rules to identify suspicious .NET Remoting activity and WebClient object instantiation
- Configure file integrity monitoring on critical system directories to detect unauthorized file modifications
- Deploy SentinelOne Singularity to detect and block exploitation attempts through behavioral analysis and real-time threat detection
Monitoring Recommendations
- Enable verbose logging for the Ascent Capture Service to capture connection attempts and object instantiation events
- Configure network flow monitoring to track all traffic to/from port 2424 on affected systems
- Implement alerting for any outbound NTLM authentication attempts from Kofax/Tungsten Capture servers to unexpected destinations
- Use SentinelOne's network visibility features to identify lateral movement attempts following potential exploitation
How to Mitigate CVE-2026-23751
Immediate Actions Required
- Block external network access to TCP port 2424 using host-based and network firewalls immediately
- Restrict access to port 2424 to only trusted, necessary internal systems using strict network segmentation
- Review and audit the service account privileges running the Ascent Capture Service to limit potential impact
- Monitor for indicators of compromise and review historical logs for evidence of exploitation
Patch Information
Consult the Tungsten Automation Documentation for information regarding available patches and updated versions that address this vulnerability. Contact Tungsten Automation (formerly Kofax) support for specific remediation guidance and patch availability timelines.
Workarounds
- Implement strict firewall rules to block all external access to TCP port 2424 and limit internal access to essential systems only
- Consider disabling the Ascent Capture Service if not actively required for business operations until a patch is available
- Configure network segmentation to isolate systems running Tungsten Capture from sensitive network resources
- Enable SMB signing and disable NTLMv1 to reduce the impact of potential NTLM coercion attacks
- Run the Ascent Capture Service under a dedicated, low-privilege service account with minimal filesystem and network access
# Windows Firewall rule to block external access to port 2424
netsh advfirewall firewall add rule name="Block Ascent Capture External Access" dir=in action=block protocol=tcp localport=2424 profile=public,private
# Allow only specific trusted IPs (replace with your management subnet)
netsh advfirewall firewall add rule name="Allow Ascent Capture Trusted" dir=in action=allow protocol=tcp localport=2424 remoteip=10.0.0.0/24 profile=domain
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
