External risk intelligence

Kofax Capture allows attackers to read or write files and steal credentials.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-23751

An external attacker can exploit an unprotected connection in Tungsten Capture to remotely read or modify files without needing to log in. This exposes the business to unauthorized data theft and allows the attacker to take full control of the server, potentially compromising enterprise document processing.

2Halo Surface Signal

Missing Authentication

External exposure likelihood

Halo Surface Signal score for CVE-2026-23751

Tungsten Capture is a specialized enterprise document processing service typically restricted to internal network segments. It uses port 2424, which is not a standard public-facing port. While network reachable, direct exposure to the public internet is an uncommon configuration for this application, which is designed for back-office tasks and usually sits behind internal network controls.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Tungsten Capture (formerly Kofax Capture) allows an unauthenticated attacker to read or write arbitrary files on the server. It can also be used to steal credentials, leading to potential remote code execution or lateral movement within your network.

  • Attackers can access it remotely.
  • Sensitive credentials may be compromised.
  • Server files can be read or modified.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit a deprecated .NET Remoting interface on port 2424 to read or write files on the server or capture credentials. This allows for potential code execution or lateral movement depending on the service account's privileges.

  • Accessible over the network.
  • Uses a known default endpoint.
  • Does not require authentication.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to read or write arbitrary files, disclose credentials, or achieve remote code execution via a deprecated .NET Remoting HTTP channel. While the potential impact is severe, the specific nature of Kofax Capture as an enterprise back-office tool suggests it's less likely to be directly exposed to the public internet. Exploitation would typically require the service to be inadvertently exposed or targeted within a compromised internal network.

  • Unauthenticated remote code execution is possible.
  • NTLM coercion is a notable attack path.
  • Specialized, not widely exposed software.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize actively monitoring for and blocking unauthenticated network requests to port 2424 on Tungsten Capture (Kofax Capture) servers. Given the critical nature and potential for remote code execution or sensitive data disclosure, immediate containment is crucial if exploitation is suspected.

  • Block network traffic to port 2424.
  • Search logs for suspicious .NET Remoting activity.
  • Isolate affected servers from the network.

Frequently asked questions

What is Tungsten Capture (formerly Kofax Capture) and its primary function?

Tungsten Capture, previously known as Kofax Capture, is an enterprise software solution for automating document processing. It aids organizations in streamlining the capture, indexing, and archiving of documents from various sources to improve data management and workflows.

How does CVE-2026-23751 allow unauthorized file access on servers?

CVE-2026-23751 is a vulnerability in Tungsten Capture related to improper unmarshalling of .NET Remoting objects. This weakness, classified as CWE-306 (Authorization Bypass Through User-Controlled Key), enables an unauthenticated attacker to abuse this mechanism to read or write arbitrary files on the server.

What is the trigger path and scope of CVE-2026-23751?

An unauthenticated remote attacker can exploit a deprecated .NET Remoting HTTP channel on port 2424, accessible via the Ascent Capture Service. This channel uses a publicly known endpoint identifier and does not require authentication, allowing for arbitrary file read/write and NTLMv2 coercion.

What is the relevance of CVE-2026-23751 given Tungsten Capture's typical deployment?

While this vulnerability offers severe impact possibilities like remote code execution, Tungsten Capture is a specialized enterprise tool usually confined to internal networks. Its exposure to the public internet is uncommon, making direct exploitation less likely unless inadvertently exposed or within an already compromised network. The Halo Surface Signal indicates this is 'Unlikely' to be a widespread threat due to these factors.

What immediate steps should be taken to respond to this vulnerability?

Organizations should prioritize blocking unauthenticated network traffic to port 2424 on Tungsten Capture servers. Searching logs for suspicious .NET Remoting activity and isolating affected servers if exploitation is suspected are critical containment measures due to the potential for remote code execution and sensitive data disclosure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified