CVE-2026-23751
published 2026-04-23CVE-2026-23751: Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.88%
54.6th percentile
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tungsten_automation | tungsten_capture | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pc62-x5ww-3xm5: Kofax Capture, now referred to as Tungsten Capture, version 6
ghsa_unreviewed·2026-04-23
CVE-2026-23751 [CRITICAL] CWE-306 GHSA-pc62-x5ww-3xm5: Kofax Capture, now referred to as Tungsten Capture, version 6
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.
VulDB
Tungsten Automation Kofax Capture 6.0.0.0 Ascent Capture Service missing authentication (EUVD-2026-25228)
vuldb·2026-04-23·CVSS 9.3
CVE-2026-23751 [CRITICAL] Tungsten Automation Kofax Capture 6.0.0.0 Ascent Capture Service missing authentication (EUVD-2026-25228)
A vulnerability was found in Tungsten Automation Kofax Capture 6.0.0.0. It has been classified as critical. This affects an unknown function of the component Ascent Capture Service. The manipulation leads to missing authentication.
This vulnerability is uniquely identified as CVE-2026-23751. The attack is possible to be carried out remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-23
Published