Seagull BarTender Unauthenticated Remote Code Execution (CVE-2026-25550): .NET Remoting Vulnerability in Enterprise Label Automation Platform

nick

Seagull BarTender Unauthenticated Remote Code Execution (CVE-2026-25550): .NET Remoting Vulnerability in Enterprise Label Automation Platform

by

An unauthenticated remote code execution vulnerability in Seagull Scientific BarTender, tracked as CVE-2026-25550, allows attackers to execute arbitrary commands on affected systems via the exposed .NET Remoting service on TCP port 7375. The vulnerability carries a CVSS score of 9.8 and affects BarTender 2010, 2016 (through R9), and 2019 (through R10) — versions widely deployed in manufacturing, logistics, healthcare, and retail environments for enterprise label design and printing automation.

What Is the Vulnerability?

CVE-2026-25550 is a missing authentication vulnerability in BarTender’s BtSystem.Service.exe .NET Remoting service. The service registers unauthenticated singleton endpoints — BarTenderSystem for BarTender 2016 R9 and earlier, and DataServiceSingleton for BarTender 2019 R10 and earlier — configured with BinaryServerFormatterSinkProvider and TypeFilterLevel.Full. This configuration allows remote clients to interact with the endpoint without any authentication and with full type fidelity, enabling deserialization-based remote code execution.

.NET Remoting with TypeFilterLevel.Full and no authentication is a known-dangerous configuration that has been a documented attack vector for over a decade. An attacker who can reach TCP port 7375 on a system running BarTender can send crafted .NET Remoting messages that trigger arbitrary code execution in the context of the BarTender service, which typically runs with elevated privileges. BarTender is used to design and print labels, barcodes, RFID tags, and compliance documentation — it integrates with ERP systems, warehouse management systems, and manufacturing execution systems, often running on servers with access to production networks and manufacturing data.

  • CVSS v3.1 Score: 9.8 (Critical)
  • CWE: CWE-306 (Missing Authentication for Critical Function)
  • Attack Vector: Network — TCP port 7375
  • Privileges Required: None (PR:N)

Which Versions Are Affected?

  • Seagull BarTender 2010 — all versions
  • Seagull BarTender 2016 — all versions through R9 (R10 and later are patched)
  • Seagull BarTender 2019 — all versions through R10 (R11 and later are patched)

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, .NET Remoting deserialization attacks are well-understood and exploit tooling is readily available. The vulnerability was published on June 4, 2026 with full technical details. Organisations in manufacturing, logistics, and healthcare — where BarTender is commonly deployed — should patch proactively and not wait for confirmed exploitation.

What Is the Fix?

Seagull Scientific has released patched versions. Upgrade BarTender to BarTender 2016 R10 or later, BarTender 2019 R11 or later, or the current BarTender release. Download from:

https://portal.seagullscientific.com/downloads/bartender

Recommendations

Upgrade BarTender immediately. CVSS 9.8 with unauthenticated RCE on a platform that runs in production-critical environments demands urgent attention.

Verify network exposure of TCP port 7375. Even after upgrading, ensure that the BarTender .NET Remoting service is not exposed to untrusted networks. Use Windows Firewall or network segmentation to restrict access to TCP 7375 to only authorised BarTender clients and administrative workstations.

Audit BarTender deployment across your environment. BarTender is often deployed by operational technology (OT) teams rather than IT, and may not be included in routine vulnerability scanning. Identify all systems running BarTender — particularly in manufacturing plants, warehouses, distribution centres, and healthcare labelling stations — and verify their patch level.

Monitor for exploitation attempts. Review Windows Event Logs and network monitoring data for connections to TCP port 7375 from unrecognised IP addresses. Unexpected .NET Remoting traffic to this port should be investigated as potential exploitation attempts.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!