CVE-2026-23751— Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23751
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Kofax Capture 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Kofax Capture是美国Kofax公司的一个应用程序。提供一流的预构建智能文档处理功能。 Kofax Capture 6.0.0.0版本存在访问控制错误漏洞,该漏洞源于暴露了无需身份验证且使用默认公开端点标识符的.NET Remoting HTTP通道,允许未经身份验证的远程攻击者利用.NET Remoting对象解组技术实例化远程System.Net.WebClient对象,从服务器文件系统读取任意文件、写入攻击者控制的文件或强制NTLMv2身份验证到攻击者控制的主机。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Tungsten Automation | Kofax Capture | 6.0.0.0 | - |
II. Public POCs for CVE-2026-23751
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23751
请登录查看更多情报信息。
- Kofax Capture - Unauthenticated File Read/Write and SMB coercion via .NET Remoting · GitHubtechnical-descriptionexploit
- https://nvd.nist.gov/vuln/detail/CVE-2026-23751
IV. Related Vulnerabilities
Same vendor: Tungsten Automation
- CVE-2024-12547
Tungsten Automation Power PDF JPF File Parsing Out-Of-Bounds - CVE-2024-12548
Tungsten Automation Power PDF JP2 File Parsing Use-After-Fre - CVE-2024-12549
Tungsten Automation Power PDF JP2 File Parsing Out-Of-Bounds - CVE-2024-12550
Tungsten Automation Power PDF JP2 File Parsing Out-Of-Bounds - CVE-2024-12551
Tungsten Automation Power PDF JP2 File Parsing Out-Of-Bounds
Same weakness: CWE-306
- CVE-2021-47940
WordPress Download From Files 1.48 Arbitrary File Upload - CVE-2021-47936
OpenCATS 0.9.4 Remote Code Execution via Resume Upload - CVE-2021-47933
WordPress MStore API 2.0.6 Arbitrary File Upload - CVE-2026-8185
UGREEN CM933 Administrative missing authentication - CVE-2026-42302
FastGPT: Unauthenticated Remote Code Execution (RCE) via cod
V. Comments for CVE-2026-23751
No comments yet