CVE-2026-23751

Kofax · Tungsten Capture

Kofax (Tungsten) Capture version 6.0.0.0 exposes an unauthenticated .NET Remoting HTTP channel on port 2424, allowing remote file read, write, and potential code execution.

Executive summary

A critical vulnerability in Tungsten Capture allows unauthenticated remote attackers to perform arbitrary file operations and potential remote code execution via a misconfigured .NET Remoting channel.

Vulnerability

The Ascent Capture Service exposes an unauthenticated .NET Remoting endpoint that permits remote object unmarshalling, enabling file system access and credential coercion.

Business impact

This vulnerability is rated 9.8 CVSS, representing a critical risk to business continuity and data security. Attackers can read sensitive files, modify system configurations, or trigger NTLM relay attacks, potentially leading to full administrative compromise of the server and lateral movement within the enterprise domain.

Remediation

Immediate Action: Disable the deprecated .NET Remoting HTTP channel if not required for business operations. Apply all vendor-provided security patches and updates immediately.

Proactive Monitoring: Audit network traffic for activity on port 2424 and monitor server logs for unauthorized file access patterns or unexpected NTLM authentication requests.

Compensating Controls: Implement strict firewall rules to block access to port 2424 from untrusted network zones and disable the Ascent Capture Service if it is not currently in use.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The exposure of unauthenticated administrative interfaces is a high-risk security failure. Organizations should prioritize patching or disabling the affected service immediately to prevent unauthorized access and potential data breach events.