HIGH 7.8

CVE-2026-25551: BarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation

Seagull Software BarTender versions 2021 R1 through 12.0.1 contain a flaw that allows local users with standard privileges to gain system-level access. The vulnerability stems from how BarTender's system service handles incoming network requests—it trusts serialized data without proper validation, allowing an attacker to craft malicious requests that execute code with the highest Windows privileges. Because the vulnerable service only listens on the local machine, an attacker must already have a local user account to exploit it, but once inside, they can escalate to full system control.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-25551 is an insecure deserialization vulnerability in the DataServiceSingleton .NET Remoting endpoint exposed by BtSystem.Service.exe on localhost:7375. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full, which enables deserialization of arbitrary .NET types. A low-privileged local user can craft and send a YSoSerial.NET-generated BinaryFormatter payload to achieve arbitrary code execution in the NT AUTHORITY\SYSTEM security context. The attack vector is local and requires low privileges, but offers no UI interaction requirement and results in complete system compromise.

Business impact

Compromise of a BarTender deployment exposes document generation, label printing, and process automation infrastructure to system-level takeover. An attacker gaining SYSTEM access can modify templates, intercept or forge documents, exfiltrate sensitive data embedded in label workflows, or pivot to other systems on the network. For organizations using BarTender in regulated environments (pharmaceuticals, shipping, compliance-heavy manufacturing), system compromise may trigger audit failures, breach notification obligations, and operational disruption.

Affected systems

Seagull Software BarTender versions 2021 R1 through 12.0.1 are vulnerable. Systems are affected only when BtSystem.Service.exe is running and accessible via localhost. Exposure is limited to local users on the same machine; remote exploitation is not possible. Any Windows environment running these BarTender versions with standard (non-administrative) user accounts should be considered at risk.

Exploitability

Exploitability is straightforward for a local attacker with standard user privileges. The required attack tool (YSoSerial.NET) is publicly available, and the vulnerable endpoint requires no authentication. However, the attack requires local access—a prospective attacker must either possess a local user account, compromise one, or gain initial shell access through another means. Once local access is achieved, exploitation is reliable and does not require user interaction or specific system configuration beyond the default service setup.

Remediation

Update BarTender to a patched version beyond 12.0.1. Consult Seagull Software's security advisory for the specific maintenance release addressing this vulnerability. In environments where immediate patching is not feasible, restrict local user account creation and enforce strong access controls to minimize the likelihood of a local attacker gaining sufficient privilege to attempt exploitation. Disable or isolate BtSystem.Service.exe if it is not required for operations.

Patch guidance

Verify the latest available BarTender maintenance release from Seagull Software's official security advisories and update affected systems to a version confirmed as patched against CVE-2026-25551. Test patches in a non-production environment before deployment. Prioritize systems in production environments that handle sensitive label generation or compliance-critical printing workflows. Coordinate patching to minimize disruption to document workflows; consider scheduling during planned maintenance windows if the service is in continuous operation.

Detection guidance

Monitor for unexpected .NET Remoting traffic on localhost:7375 originating from low-privileged user contexts. Watch for BtSystem.Service.exe spawning child processes with SYSTEM privileges or accepting BinaryFormatter-based payloads. Log analysis tools can flag suspicious serialized object deserialization attempts or unusual process creation chains from the service. Endpoint detection and response (EDR) solutions should alert on privilege escalation events involving BarTender service processes. Network segmentation that prevents local inter-process communication on this port can reduce exposure.

Why prioritize this

This vulnerability combines high severity (CVSS 7.8) with a clear local-to-system privilege escalation path. While remote exploitation is not possible, the reliable nature of the attack, availability of public tooling, and guaranteed code execution at SYSTEM level make it an attractive target for any threat actor with local access. In environments where standard users have local shell access or where lateral movement has already occurred, this becomes a critical escalation vector. Organizations should treat this as a near-term patching priority.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of local attack vector, low privilege requirement, high impact across confidentiality, integrity, and availability, and the lack of user interaction needed. The lack of CVSS scope change from User to System reflects that the vulnerability operates entirely within the affected service context. While the local-only nature prevents worm-like mass exploitation, the ease of exploitation and severity of impact justify the HIGH rating and warrant urgent patching in production environments.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerable .NET Remoting endpoint is bound exclusively to localhost (127.0.0.1) on port 7375. Remote exploitation is not possible. An attacker must have local access to the system, either through a legitimate local user account or by gaining shell access through another vulnerability or social engineering attack.

What versions of BarTender are affected?

Seagull Software BarTender versions 2021 R1 through 12.0.1 are vulnerable. Consult Seagull Software's official advisory for the first patched version and to confirm whether versions outside this range are affected.

If I don't use BtSystem.Service.exe, am I safe?

If the service is not running or is not required for your BarTender deployment, the attack surface is eliminated. However, many BarTender installations rely on this service for background document processing and automation. Check your deployment architecture with your system administrator before disabling it, and ensure alternative workflows are in place if you choose not to run it.

How quickly should I prioritize patching this vulnerability?

This should be treated as a near-term priority. While the attack requires local access, the ease of exploitation, availability of public tools, and guaranteed code execution at SYSTEM level make it an attractive target once an attacker gains local foothold. Patch within your organization's standard SLA for HIGH severity vulnerabilities, typically within 1–2 weeks of verification and testing.

This analysis is provided for informational purposes to support vulnerability management and patch prioritization. It does not constitute legal, compliance, or liability advice. Organizations are responsible for assessing their own environments, confirming affected product versions against vendor advisories, and implementing patches according to their change management and business continuity procedures. SEC.co makes no warranty regarding the completeness or accuracy of vendor patch information; consult official Seagull Software security bulletins for authoritative remediation guidance. Exploitation of vulnerabilities without authorization is illegal. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).