Back

Seagull Software BarTender Vulnerabilities Enable RCE and Privilege Escalation

Severity: High (Score: 71.0)

Sources: cvefeed.io, Mallory.Ai, www.vulncheck.com

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: bartender, seagull, service, software, remoting, cvefeed, high

Severity indicators: high severity, rce, ot, CVE:CVE-2026-25550, CVE:CVE-2026-25550

Summary

Seagull Software's BarTender has two critical vulnerabilities affecting versions 2010, 2016, 2019, and 2021. CVE-2026-25550 allows unauthenticated remote code execution via the .NET Remoting service on TCP port 7375, exposing sensitive data and enabling lateral movement. CVE-2026-25551 permits local privilege escalation for low-privileged users through insecure deserialization on the DataServiceSingleton endpoint. Both vulnerabilities stem from unsafe deserialization patterns and can lead to full system compromise. The issues were disclosed on June 4, 2026, and are currently unpatched, posing significant risks to affected systems. Organizations using these versions of BarTender are urged to assess their exposure and implement mitigations. Key Points: • CVE-2026-25550 allows unauthenticated RCE on BarTender 2010, 2016, and 2019. • CVE-2026-25551 enables local privilege escalation on BarTender 2021 R1 through 12.0.1. • Both vulnerabilities are due to unsafe deserialization and are currently unpatched.

Detailed Analysis

**Impact** Seagull Software BarTender users across versions 2010, 2016, 2019, and 2021 R1 through 12.0.1 are affected globally. The vulnerabilities enable unauthenticated remote code execution (RCE) and local privilege escalation to SYSTEM, risking full system compromise, credential theft, and lateral movement. Critical business operations relying on BarTender for printing and labeling in manufacturing, logistics, and healthcare sectors may face operational disruption and data exposure. No specific numbers or geographic concentrations were provided. **Technical Details** Two primary vulnerabilities are exploited via the .NET Remoting service on TCP port 7375 exposed by BtSystem.Service.exe. CVE-2026-25550 allows unauthenticated remote attackers to exploit unsafe deserialization in singleton endpoints (BarTenderSystem and DataServiceSingleton) using BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, enabling arbitrary file access, NTLMv2 coercion, and RCE as NT AUTHORITY\SYSTEM. CVE-2026-25551 permits local privilege escalation through insecure deserialization on the localhost-bound DataServiceSingleton endpoint, with payloads generated by tools like YSoSerial.NET. Both flaws involve unsafe deserialization patterns and impact the kill chain stages of initial access and privilege escalation. No specific IOCs were detailed. **Recommended Response** Apply vendor patches addressing CVE-2026-25550 and CVE-2026-25551 immediately across all affected BarTender versions. Restrict or monitor access to TCP port 7375, especially from untrusted networks, and enforce network segmentation to limit local exploitation. Deploy detection rules for anomalous .NET Remoting activity and BinaryFormatter payloads, including YSoSerial.NET signatures. Monitor for unusual NTLMv2 authentication attempts indicative of coercion attacks. If patches are unavailable, prioritize isolating vulnerable endpoints and enhancing endpoint detection capabilities.

Source articles (4)

  • Critical .NET Remoting Flaws Expose Seagull BarTender to RCE and SYSTEM Escalation — Mallory.Ai · 2026-06-04
    Seagull Software BarTender was found to contain two high-severity flaws in the .NET Remoting service exposed by BtSystem.Service.exe on TCP port 7375 . CVE-2026-25550 affects BarTender 2010, 2016, and…
  • Cvefeed High Severity Advisories Jun 4, 2026 CVE-2026-25551 - Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service cvefeed.io Open source — cvefeed.io · 2026-06-04
    Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoti…
  • Cvefeed High Severity Advisories Jun 4, 2026 CVE-2026-25550 - Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service cvefeed.io Open source — cvefeed.io · 2026-06-04
    Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The servi…
  • Vulncheck Blog News Jun 4, 2026 Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service | Advisories | VulnCheck vulncheck.com Open source — www.vulncheck.com · 2026-06-04

Timeline

  • 2026-06-04 — CVE-2026-25550 published: Unauthenticated RCE vulnerability disclosed for BarTender 2010, 2016, and 2019 via .NET Remoting service.
  • 2026-06-04 — CVE-2026-25551 published: Insecure deserialization vulnerability disclosed for BarTender 2021 R1 through 12.0.1, allowing local privilege escalation.
  • 2026-06-04 — Vulnerabilities reported: Seagull Software BarTender vulnerabilities reported, affecting multiple versions and enabling serious security risks.

CVEs

  • CVE-2026-25550
  • CVE-2026-25551

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Seagull Software (Company)
  • Cwe-306 - Missing Authentication For Critical Function (Cwe)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • cvefeed.io (Domain)
  • vulncheck.com (Domain)
  • ysoserial.net (Tool)
  • [email protected] (Email)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed