Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-23751 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-23751 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-23751 is an unauthenticated remote code execution vulnerability affecting Kofax Capture (also marketed as Tungsten Capture) version 6.0.0.0, stemming from an exposed deprecated .NET Remoting HTTP channel on TCP port 2424 via the Ascent Capture Service component.

Technical Detail

The Ascent Capture Service in Kofax/Tungsten Capture exposes a legacy .NET Remoting HTTP endpoint on port 2424 that lacks authentication controls and relies on a deprecated, inherently insecure serialization mechanism. An attacker with network access to this port can send crafted serialized .NET objects to the endpoint, triggering deserialization of attacker-controlled data, which can result in arbitrary code execution in the context of the service process. Because .NET Remoting channels of this type do not enforce type safety or authentication by design, exploitation does not require credentials or prior access, and the attack surface is any host where port 2424 is reachable.

Exploitation Status

No known exploit code has been publicly documented or observed at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit. However, the underlying attack class, unauthenticated .NET Remoting deserialization, is well understood and tooling such as ysoserial.NET exists for constructing deserialization payloads against similar endpoints, which lowers the barrier for exploitation by a technically capable attacker.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaigns or targeted sectors have been identified in association with this CVE. Organizations in document capture, enterprise content management, and financial services verticals that commonly deploy Kofax/Tungsten Capture should treat this as an elevated risk given the nature of the vulnerability, but no threat intelligence currently links known actors to active exploitation of this specific flaw.

What To Do

Organizations running Kofax Capture or Tungsten Capture version 6.0.0.0 should immediately assess whether port 2424 is exposed on any network segment, particularly to untrusted or internet-facing hosts, and apply firewall rules to restrict access to that port to only explicitly authorized internal systems. Contact Tungsten Automation (formerly Kofax) for an official patch or updated version that removes or secures the deprecated .NET Remoting channel. If a patch is not immediately available, disabling the Ascent Capture Service when not in active use is a viable interim control. Detection can be aided by monitoring for unexpected inbound TCP connections to port 2424 and alerting on process spawning from the Ascent Capture Service process. Verify whether other versions beyond 6.0.0.0 are affected, as the vendor description notes additional versions may be impacted.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →