Execució de codi a Entrust Instant Financial Issuance (IFI) On Premise
23/01/2026
CVE-2026-23746
CRÍTIC (9,8)
CVSS3: 8,5
L’Entrust Instant Financial Issuance (IFI) On Premise podria permetre que un atacant remot executi codi arbitrari al sistema, causat per una exposició insegura de .NET Remoting al servei SmartCardController (DCG.SmartCardControllerService.exe).
post:/platform/configuration/security/service-accountsdelete:/platform/configuration/security/service-accounts/{user_id}patch:/platform/configuration/security/service-accounts/{user_id}post:/platform/configuration/security/service-accounts/{user_id}/keysdelete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}patch:/userpost:/userspost:/users/auth/keysdelete:/users/auth/keysdelete:/users/auth/keys/_alldelete:/users/auth/keys/{api_key_id}delete:/users/{user_id}/auth/keysdelete:/users/{user_id}/auth/keys/{api_key_id}delete:/users/{user_name}patch:/users/{user_name}
Sistemes Afectats
- Entrust Corporation Instant Financial Issuance (IF) 5.x
- Entrust Corporation Instant Financial Issuance (IF) 6.0
- Entrust Corporation Instant Financial Issuance (IF) 6.0
Remediació
Actualitzeu a la darrera versió d’Instant Financial Issuance (IF) (6.10.5, 6.11.1 o posterior), disponible al lloc web d’Entrust. Vegeu-ne les Referències.
Referències
- https://www.entrust.com/products/issuance-systems/instant/financial-card
- https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software
- https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/23xxx/CVE-2026-23746.json
