A critical vulnerability has been identified in the DOXENSE WATCHDOC software, rated with the highest possible severity score. This flaw allows a remote, unauthenticated attacker to take complete control over the affected server by sending malicious data to the administration interface. Successful exploitation could lead to a total compromise of the system, data theft, and significant disruption to business operations.

This vulnerability is a Deserialization of Untrusted Data flaw within the .NET Remoting library used by the Watchdoc administration interface. An unauthenticated attacker can send a specially crafted serialized object to the exposed .NET Remoting endpoint. The application fails to properly validate this incoming data before deserializing it, allowing the attacker to embed malicious code that is executed with the privileges of the Watchdoc service, leading to remote code execution.

This vulnerability is of critical severity with a CVSS score of 10.0, indicating the highest possible risk. A successful exploit would grant an attacker complete control over the server hosting the DOXENSE WATCHDOC application. This could result in a total loss of confidentiality, integrity, and availability, leading to severe business consequences such as the theft of sensitive documents and user data, deployment of ransomware, disruption of printing services, and the use of the compromised server as a foothold to launch further attacks across the corporate network.

Immediate Action: Immediately update all instances of DOXENSE WATCHDOC to version 6.1.1.5332 or later, as recommended by the vendor. After patching, review access logs and system logs for any signs of compromise or unusual activity preceding the update.

Proactive Monitoring: Monitor network traffic for anomalous connections to the .NET Remoting port used by the Watchdoc administration interface. Security teams should look for unexpected processes spawned by the Watchdoc service account and review application event logs for deserialization errors or suspicious connection attempts.

Compensating Controls: If immediate patching is not feasible, implement strict network segmentation and firewall rules to restrict access to the Watchdoc administration interface. Access should be limited to a minimal set of trusted IP addresses, such as those used by system administrators, to reduce the attack surface.

Public Exploit Available: false

Given the critical severity (CVSS 10.0) of this vulnerability, we recommend immediate and urgent action. The primary remediation is to apply the security update provided by the vendor to all affected systems without delay. Although this vulnerability is not currently listed on the CISA KEV list, its potential for complete system compromise warrants treating it with the highest priority. If patching cannot be performed immediately, apply the recommended compensating controls to limit exposure while a patching schedule is finalized.