DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26221: Grim Remoting: The Ghost of .NET Past Haunts Hyland OnBase

#security #cve #cybersecurity

Grim Remoting: The Ghost of .NET Past Haunts Hyland OnBase

Vulnerability ID: CVE-2026-26221
CVSS Score: 10.0
Published: 2026-02-13

In the world of enterprise software, nothing ever truly dies; it just becomes a legacy service running with SYSTEM privileges. CVE-2026-26221 is a catastrophic, unauthenticated Remote Code Execution vulnerability in Hyland OnBase's Workflow Timer Service. By leveraging the ancient and insecure .NET Remoting protocol, attackers can turn a helper service into a full-blown command center, executing arbitrary code via insecure deserialization. It’s a classic case of 2005-era architecture meeting modern exploitation tools, resulting in a CVSS 10.0 nightmare.

TL;DR

Unauthenticated RCE in Hyland OnBase Workflow Timer Service via TCP port 8900. The service uses insecure .NET Remoting with BinaryFormatter. Attackers can send a crafted payload to execute code as NT AUTHORITY\SYSTEM. Fix: Uninstall the legacy service and migrate to Unity Scheduler.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v4.0: 10.0 (Critical)
  • Attack Vector: Network (TCP/8900)
  • Authentication: None Required
  • Privileges: NT AUTHORITY\SYSTEM
  • Exploit Reliability: High (Stable)

Affected Systems

  • Hyland OnBase Workflow Timer Service (v8.0 - v17.0.x)
  • Hyland OnBase Workview Timer Service (Legacy versions)
  • OnBase Workflow Timer Service: 8.0 - 17.0.x (Fixed in: N/A (Migrate to Unity Scheduler))

Exploit Details

  • GitHub: Full PoC leveraging ysoserial.net to achieve RCE on the Timer Service.

Mitigation Strategies

  • Uninstall Legacy Service
  • Network Segmentation
  • Migrate to Unity Scheduler

Remediation Steps:

  1. Identify servers running 'Hyland OnBase Workflow Timer Service'.
  2. Verify if the Unity Scheduler component is installed and configured.
  3. Stop and disable the legacy Workflow Timer Service.
  4. Uninstall the legacy component via 'Add/Remove Programs' or the Hyland installer.
  5. Block TCP port 8900 at the network perimeter and host firewall.

References

Read the full report for CVE-2026-26221 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)