criticalCVE-2026-58127

CVE-2026-58127 in PACSgear MediaWriter

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

ProductPACSgear MediaWriter
CVSS9.3
EPSS0.00985
UpdatedJuly 15, 2026

Quick answer

Hyland PACSgear MediaWriter should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • PACSgear MediaWriter 5.2.1

Fixed versions

  • No confirmed public fixed version at generation time; isolate TCP port 9000 and apply the latest Hyland-supported update when available

How to fix it

CVE-2026-58127 affects PACSgear MediaWriter. In simple terms, an attacker may be able to read or write files and then run code if the exposed service is reachable. There is no confirmed public fixed version yet. Block access to TCP port 9000, keep the server off the internet, and install the latest Hyland-supported update as soon as it is available.

  1. Find every PACSgear MediaWriter server and check if it is version 5.2.1.
  2. Block TCP port 9000 from the internet and from any network that does not need it.
  3. Allow access only from trusted internal systems that must use MediaWriter.
  4. Ask Hyland support for the latest safe update or workaround, then apply it.
  5. Review logs for unknown connections, file changes, or failed remote calls.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm TCP port 9000 is not reachable from untrusted networks.
  • Confirm only trusted systems can reach the MediaWriter service.
  • Check that Hyland guidance or the latest supported update has been applied.
  • Run a fresh Fixnx scan and keep the result with your change record.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-58127?

Hyland PACSgear MediaWriter versions listed as affected should be reviewed: PACSgear MediaWriter 5.2.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.