An unauthenticated remote code execution vulnerability in Spacelabs Healthcare Sentinel allows attackers to achieve full system control if the .NET Remoting port is network-accessible.

The vulnerability exists in a deprecated .NET Remoting HTTP channel exposed on port 8989. Unauthenticated attackers can send specifically crafted requests to perform arbitrary file read/write operations, facilitating the upload of ASPX webshells to the IIS directory.

With a CVSS score of 9.8, this flaw allows for complete compromise of the Sentinel system. Given its role in a healthcare environment, this poses severe risks, including the potential for unauthorized access to sensitive patient data, disruption of critical medical services, and loss of clinical system integrity.

Immediate Action: Update Sentinel to version 11.6.0 or higher. If an update is not immediately possible, disable the .NET Remoting HTTP channel or block access to port 8989 at the network firewall.

Proactive Monitoring: Monitor IIS logs for requests to suspicious ASPX files or unexpected file write operations in the web application directory.

Compensating Controls: Restrict network access to the Sentinel server to authorized management workstations only, ensuring that port 8989 is not reachable from untrusted networks.

Public Exploit Available: Unknown

This is a high-priority vulnerability. Organizations using Spacelabs Healthcare Sentinel must ensure the software is updated or that the affected port is immediately firewalled to prevent potential remote code execution by unauthenticated actors.