CVE-2026-25551

Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service

Assigner: VulnCheck
Reserved: 02.02.2026 Published: 04.06.2026 Updated: 04.06.2026

Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\SYSTEM.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Seagull Software, LLC.
Product	BarTender 2021
Versions	Default: affected affected from R1 to 12.0.1 (incl.)

Vendor

Seagull Software, LLC.

Product

BarTender 2021

Versions

Default: affected

affected from R1 to 12.0.1 (incl.)

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp. finder
Jan A. Rodriguez, Pentester, GM Sectec, Corp. finder
VulnCheck finder

References

Problem Types