CVE 9.3 CRITICAL

Entrust Instant Financial Issuance (IFI) SmartCardController Service .NET Remoting RCE_CVE-2026-23746

January 15, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.

AI Analysis

Insecure .NET Remoting exposure in the SmartCardController service allows remote, unauthenticated attackers to invoke exposed remoting objects, leading to arbitrary file read, write, and remote code execution.

Basic Information

ID CVE-2026-23746

Source VulnCheck

Published Jan 15, 2026 at 19:44

Modified Jan 15, 2026 at 20:33

Affected Product

Vendor Entrust Corporation

Product Instant Financial Issuance (IF)

Version 5.x, 6.0, 6.10.x, 6.11.0

Affected Versions Entrust Corporation Instant Financial Issuance (IF) 5.x
Entrust Corporation Instant Financial Issuance (IF) 6.0
Entrust Corporation Instant Financial Issuance (IF) 6.0

CWE Classification

CWE-306 CWE-502

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Entrust Corporation

Product Instant Financial Issuance (IF)

Version 5.x, 6.0, 6.10.x, 6.11.0

References

{
    "lastseen": "",
    "description": "Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.",
    "published": "2026-01-15T19:44:53.716Z",
    "modified": "2026-01-15T20:33:58.351Z",
    "type": "cve",
    "title": "Entrust Instant Financial Issuance (IFI) SmartCardController Service .NET Remoting RCE",
    "source": "VulnCheck",
    "references": "https://www.entrust.com/products/issuance-systems/instant/financial-card\nhttps://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software\nhttps://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce",
    "id": "CVE-2026-23746",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Entrust Corporation Instant Financial Issuance (IF) 5.x\nEntrust Corporation Instant Financial Issuance (IF) 6.0\nEntrust Corporation Instant Financial Issuance (IF) 6.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Instant Financial Issuance (IF)",
    "version": "5.x, 6.0, 6.10.x, 6.11.0",
    "vendor": "Entrust Corporation",
    "ai_description": "Insecure .NET Remoting exposure in the SmartCardController service allows remote, unauthenticated attackers to invoke exposed remoting objects, leading to arbitrary file read, write, and remote code execution.",
    "ai_severity": "Critical",
    "ai_vendor": "Entrust Corporation",
    "ai_product": "Instant Financial Issuance (IF)",
    "ai_version": "5.x, 6.0, 6.10.x, 6.11.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply