CVE-2025-34414
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP remoting channel with SOAP and binary formatters configured at TypeFilterLevel=Full and exposes default ObjectURI endpoints such as logfile.rem, photo.rem, cwPhoto.rem, and reports.rem on a network-reachable remoting port. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Entrust Corporation | Instant Financial Issuance (IF) | 5.0 | affected |
| Entrust Corporation | Instant Financial Issuance (IF) | 6.0 < 6.10.5 | affected |
| Entrust Corporation | Instant Financial Issuance (IF) | 6.0 < 6.11.1 | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of Untrusted Data
- CWE-306: CWE-306 Missing Authentication for Critical Function
Workarounds
The vendor recommends that customers of IFI On Premise software immediately disable the Legacy Remoting Service.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.entrust.com/products/issuance-systems/instant/financial-card
- https://trustedcare.entrust.com/s/article/E25-008-NET-Remoting-Vulnerabilities-in-Instant-Financial-Issuance-On-Premise-Software
- https://www.vulncheck.com/advisories/entrust-ifi-legacy-remoting-unauthenticated-net-remoting-exposure
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.