CVE-2026-25551
HIGHSeagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service
Title source: cnaDescription
Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.
References (3)
Core 3
Core References
Exploit technical-description
exploit
https://gist.github.com/VAMorales/dde5b1c0415a8505ccd6fafdb095a618
Product product
https://portal.seagullscientific.com/downloads/bartender
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/seagull-software-bartender-deserialization-privilege-escalation-via-net-remoting-service
Scores
CVSS v3
7.8
EPSS
0.0013
EPSS Percentile
2.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
Seagull Software, LLC./BarTender 2021
R1 - 12.0.1
Published
Jun 04, 2026
Tracked Since
Jun 04, 2026