关键信息 漏洞名称 Entrust Instant Financial Issuance (IFI) SmartCardController Service .NET Remoting RCE 严重性 Critical 发布日期 January 15, 2026 漏洞ID CVE-2026-23746 相关CWE CWE-306 Missing Authentication for Critical Function CWE-502 Deserialization of Untrusted Data CVSS评分 9.3 CVSS V4向量 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 描述 Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP Remoting Channel, but has unsafe formatter/settings that allow untrusted remote object invocation. A remote, unauthenticated attacker who can reach the Remoting port can invoke exposed remote objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. 参考链接 Instant Financial Issuance (IFI) Product Webpage Entrust Customer Portal Vendor Advisory