CVE-2026-23746

CRITICAL

Entrust Instant Financial Issuance (IFI) On Premise <6.10.5-6.11.1 ...

Title source: llm

Description

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.

References (3)

[Various Sources] https://www.entrust.com/products/issuance-systems/instant/financial-card

[Various Sources] https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software

[Third Party Advisory] https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce

Scores

CVSS v4 9.3

EPSS 0.0039

EPSS Percentile 60.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-502

Status published

Products (4)

Entrust Corporation/Instant Financial Issuance (IF) 5.0

Entrust Corporation/Instant Financial Issuance (IF) 5.x

Entrust Corporation/Instant Financial Issuance (IF) 6.0 - 6.10.5

Entrust Corporation/Instant Financial Issuance (IF) 6.0 - 6.11.1

Published Jan 15, 2026

Tracked Since Feb 18, 2026