CVE-2026-26222

DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE

Assigner: VulnCheck
Reserved: 11.02.2026 Published: 24.02.2026 Updated: 24.02.2026

Altec DocLink (now maintained by Beyond Limits Inc.) version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP via Altec.RDCHostService.exe using the ObjectURI "doclinkServer.soap". The service does not require authentication and is vulnerable to unsafe object unmarshalling, allowing remote attackers to read arbitrary files from the underlying system by specifying local file paths. Additionally, attackers can coerce SMB authentication via UNC paths and write arbitrary files to server locations. Because writable paths may be web-accessible under IIS, this can result in unauthenticated remote code execution or denial of service through file overwrite.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Beyond Limits Inc.
Product	Altec DocLink
Versions	Default: unknown Version 4.0.336.0 is affected

Vendor

Beyond Limits Inc.

Product

Altec DocLink

Versions

Default: unknown

Version 4.0.336.0 is affected

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp finder
Omar Crespo, Pentester, GM Sectec, Corp finder

References

Problem Types