CVE-2026-26221
📋 TL;DR
This vulnerability in Hyland OnBase allows unauthenticated attackers to send crafted .NET Remoting requests to the Workflow Timer Service on TCP port 8900, leading to arbitrary file read/write and potentially remote code execution. Attackers can also abuse this to coerce NTLM authentication via UNC paths for credential theft. All OnBase installations with the vulnerable Workflow Timer Service exposed are affected.
💻 Affected Systems
- Hyland OnBase
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with SYSTEM privileges, complete system compromise, and lateral movement through NTLM credential theft.
Likely Case
Arbitrary file read/write leading to web shell deployment and limited code execution, or NTLM hash capture for credential attacks.
If Mitigated
Limited impact due to network segmentation and service isolation, potentially only file access within service context.
🎯 Exploit Status
Exploitation requires crafting .NET Remoting requests but no authentication needed. UNC path abuse for NTLM coercion adds credential theft vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in Hyland bulletin OB2025-03
Vendor Advisory: https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03
Restart Required: Yes
Instructions:
1. Apply the security update from Hyland bulletin OB2025-03. 2. Restart the OnBase Workflow Timer Service. 3. Verify service is no longer listening on vulnerable endpoints.
🔧 Temporary Workarounds
Network Segmentation
windowsBlock TCP port 8900 at network perimeter and restrict access to trusted hosts only.
Windows Firewall: New-NetFirewallRule -DisplayName "Block OnBase Timer Service" -Direction Inbound -LocalPort 8900 -Protocol TCP -Action Block
Service Hardening
windowsDisable or restrict .NET Remoting endpoints and implement authentication if possible.
Modify OnBase configuration to require authentication for TimerServiceAPI.rem and TimerServiceEvents.rem endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit TCP/8900 to essential systems only.
- Monitor for unusual .NET Remoting traffic and file writes in web-accessible directories.
🔍 How to Verify
Check if Vulnerable:
Check if Hyland.Core.Workflow.NTService.exe is listening on TCP port 8900 and if TimerServiceAPI.rem/TimerServiceEvents.rem endpoints are accessible without authentication.Check Version:
Check OnBase version through administrative interface or examine service file properties.Verify Fix Applied:
Verify service version matches patched version from bulletin and that .NET Remoting requests to vulnerable endpoints are rejected or require authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual .NET Remoting activity in application logs
- File creation in web directories from Workflow Timer Service
- Failed authentication attempts to TimerService endpoints
Network Indicators:
- TCP connections to port 8900 from untrusted sources
- .NET Remoting serialization traffic patterns
- Outbound SMB connections triggered by UNC paths
SIEM Query:
source="OnBase" AND (event="TimerServiceAPI" OR event="TimerServiceEvents") AND (action="deserialization" OR action="file_write")