BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service (C:\Kofax\CaptureSS\ServLib\Bin\ACSvc.exe) that is accessible without authentication and uses a default, publicly known endpoint identifier. By modifying the PoC of Code-White's RemotingClient_MBRO_Lazy.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host, an unauthenticated remote attacker can exploit .NET Remoting object unma

Deprecated .NET Remoting technology on an ephemeral network reachable port is used by the program Unisys.SOA.PerfectImageService.exe. Modifying the PoC of Code-White's RemotingClient_MBVO.exe program to implement a custom channel sink to redirect .NET Remoting traffic to the correct host, it was determined that the System.Media.SoundPlayer class technique allows SMB coercion by supplying a remote UNC path to leak the NTLMv2 hash of the account running the service.

Customers with printers running D3.18.4-3 or prior firmware with Printer Manager enabled (the default configuration). Customers with this configuration are advised to upgrade to the latest version and apply the remediation steps described herein.