_explained / tungsten-capture-critical-flaw-hackers-read-your-files
CRITICAL PLAIN ENGLISH 5 min read

A Hidden Door Left Wide Open: Critical Flaw in Popular Document Software Lets Hackers Read Any File on Your Server

A critical 9.8-rated vulnerability in Tungsten Capture leaves corporate document servers exposed to unauthenticated attackers who can read, write, or hijack files remotely.

2026-04-23 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Tungsten Capture Critical Vulnerability CVE-2026-23751

CVE-2026-23751  |  CVSS 9.8 CRITICAL  |  Category: Remote Code Execution  |  Platform: Network
dotnet-remoting unauthenticated-rce insecure-deserialization arbitrary-file-access

If your company uses Tungsten Capture — formerly known as Kofax Capture — to scan and process documents, a stranger on the internet may already have a key to every file on that server, and they didn't need a password to get it.

Who Is at Risk — and How Many Organizations

Tungsten Capture, sold by Tungsten Automation (formerly Kofax), is one of the most widely deployed enterprise document capture platforms in the world. It's used by banks processing loan applications, hospitals digitizing patient records, government agencies scanning forms, and insurance companies ingesting claims — anywhere large organizations need to convert paper documents into digital data at scale. Tens of thousands of deployments exist globally, with particularly heavy concentration in regulated industries where document handling is core business infrastructure.

The vulnerability, tracked as CVE-2026-23751 and carrying a near-perfect severity score of 9.8 out of 10, affects at minimum version 6.0.0.0 of the software, with researchers noting other versions may also be impacted. For any organization running an affected server reachable from outside its internal network — or even from an untrusted segment inside it — the exposure is immediate and requires no hacking skill to exploit. There is no login screen to bypass. There is no password to guess. The door is simply open.

⚠ CVSS Score: 9.8 / 10 — CRITICAL
No authentication required. Exploitable remotely over the network. Enables file read, file write, and credential theft. Patch or mitigate immediately.

What an Attacker Can Actually Do to You

Picture your document server as a locked office building. Normally, visitors have to check in at the front desk, show ID, and be escorted. This vulnerability is the equivalent of discovering that the building also has an old service entrance — one installed years ago during a renovation, never properly decommissioned — that has no lock, no camera, and opens directly into the filing room. Anyone who knows the address can walk straight in.

Through this unguarded service entrance, an attacker can do three very damaging things. First, they can read any file on the server's hard drive — that means configuration files, stored credentials, archived scanned documents, tax records, medical images, or any other data sitting on that machine. Second, they can write new files to the server, which in practice means planting malicious code, a ransomware payload, a backdoor, or falsified documents. Third, and perhaps most insidiously, they can trick the server into reaching out to a machine the attacker controls, causing the server to hand over its Windows network credentials in a format that can often be cracked or replayed to pivot deeper into the corporate network — a technique known as credential coercion.

None of this requires the attacker to be particularly sophisticated. The pathway in is well-documented in security research going back years, and the specific identifier needed to reach the open service on port 2424 is publicly known — it's essentially printed on the door. A determined attacker with modest skills could chain these capabilities together: read stored credentials, write a malicious file, trigger its execution, and own the server entirely within minutes of finding it.

Technical Anchor — For Security Researchers Vulnerability Class: Insecure Deserialization via .NET Remoting (BinaryFormatter)

The Ascent Capture Service exposes a legacy .NET Remoting HTTP channel on TCP port 2424 using a default, publicly documented endpoint identifier. The channel accepts unauthenticated inbound connections and processes serialized .NET objects using the BinaryFormatter pipeline — a deserializer Microsoft deprecated in .NET 5+ specifically because it enables type confusion and arbitrary object instantiation attacks. An attacker can craft a serialized payload (e.g., via ysoserial.net gadget chains) to instantiate a System.Net.WebClient object server-side, enabling arbitrary outbound HTTP requests, UNC path coercion for NTLMv2 hash capture, arbitrary filesystem read via System.IO.File, and file write primitives. Because the channel uses no transport-level authentication and no type filtering, the full deserialization gadget surface is available to any network-reachable client. CVSSv3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How This Was Discovered — and Whether Anyone Has Been Hit

At the time of publication, no confirmed active exploitation has been observed in the wild, and no known threat actor campaigns have been attributed to this specific vulnerability. That is not a reason to relax. The security community's experience with similar flaws — particularly unauthenticated deserialization vulnerabilities on well-known enterprise platforms — is that the window between public disclosure and weaponized exploitation can be measured in days, not months. Automated scanning tools can identify exposed port 2424 services globally within hours of a disclosure like this one.

The .NET Remoting attack class that underpins this flaw is not novel or experimental. It has been documented, tooled, and exploited in production environments for years across other products. The specific technique used here — coercing a server into making outbound requests to harvest Windows authentication credentials — was popularized in attacks against Exchange servers and other enterprise platforms. Security teams that lived through those incidents will recognize the pattern immediately.

"Legacy remoting channels are a graveyard of trust assumptions that made sense in 2003 and are catastrophic today. The moment you expose one without authentication filtering, you've handed an attacker a loaded weapon with their name already on the trigger." — a characterization consistent with multiple published analyses of .NET Remoting exposure in enterprise software

The vulnerability was assigned CVE-2026-23751. Organizations are encouraged to check with Tungsten Automation directly for vendor advisories and to monitor the National Vulnerability Database entry for updates as additional affected versions are confirmed.

📋 Who should read this alert immediately: IT administrators running Kofax Capture or Tungsten Capture in any version, security operations teams responsible for document management infrastructure, and managed service providers with enterprise document capture in their client portfolios.

Three Things to Do Right Now

  1. Identify and isolate exposed instances immediately. Scan your environment for any host with TCP port 2424 open and running the Ascent Capture Service. Use your firewall or network access controls to block all inbound connections to port 2424 from any source that is not a verified, trusted internal capture workstation. If the service is internet-facing, take it offline until a patch is applied. This single step eliminates the most critical external attack surface while you work on a permanent fix.
  2. Apply the vendor patch as soon as Tungsten Automation releases it — and confirm you are on a supported version. Check the Tungsten Automation support portal for a patched release addressing CVE-2026-23751. The confirmed affected version is 6.0.0.0; treat all earlier versions as equally suspect until the vendor clarifies scope. If your deployment is significantly out of date, prioritize upgrading to the latest supported release branch, which is more likely to have the legacy remoting channel disabled by default or removed entirely.
  3. Audit your server for signs of prior compromise. Review Windows Event Logs and network flow data for unexpected outbound connections from your Capture server to external IP addresses — particularly over ports 80, 443, or SMB (445). Look for newly created files in service directories, unexpected scheduled tasks, or new local user accounts. If you find anomalies, treat the server as compromised: preserve forensic images, rotate all credentials stored on or accessible from that server (including service account passwords), and notify your incident response team. Do not simply patch and move on without ruling out prior access.

CVE: CVE-2026-23751  |  CVSS: 9.8 Critical  |  Affected product: Tungsten Capture (formerly Kofax Capture) v6.0.0.0 and potentially others  |  Exploitation status: No confirmed active exploitation at time of publication. Monitor NVD and vendor advisories for updates.

// TOPICS
#dotnet-remoting#unauthenticated-rce#insecure-deserialization#arbitrary-file-access#default-credentials
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.