# CVE-2026-23751

> Vulnerability · severity: **CRITICAL** (CVSS 9.8).

## Description

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling techniques to instantiate a remote System.Net.WebClient object and read arbitrary files from the server filesystem, write attacker-controlled files to the server, or coerce NTLMv2 authentication to an attacker-controlled host, enabling sensitive credential disclosure, denial of service, remote code execution, or lateral movement depending on service account privileges and network environment.

## Key facts

- **CVE ID:** CVE-2026-23751
- **Published:** 2026-04-23
- **CVSS severity:** CRITICAL
- **CVSS base score:** 9.8
- **CWE codes:** CWE-306, CWE-441

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23751

## Citation

> AI Analytics. CVE-2026-23751. Retrieved 2026-06-26 from https://api.ai-analytics.org/cve/CVE-2026-23751. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*