Primary

Context

OpenText RightFax Deserialization Vulnerability Allowing Object Injection

Vulnerability

A deserialization vulnerability allowing object injection has been identified in OpenText RightFax versions through 25.4, on both 32-bit and 64-bit Windows systems. This vulnerability arises from the .NET Remoting framework, which contains known security flaws that could be exploited if the RightFax service is exposed and the remoting ports are accessible.

Impact

Exploitation of this vulnerability could enable unauthenticated attackers to perform arbitrary file read/write operations, execute remote code, and conduct Server Message Block (SMB) coercion.

Remediation

OpenText is developing patches for RightFax versions 16.6, 20.2, 21.2, 22.2, 23.4, 24.4, and 25.4, with a target release date by the end of April 2026. In the meantime, customers can block ports 34001 and 34002 at their firewall, although this may cause communication issues with IIS and Remote RightFax Web Services for versions 20.2 and later.

Added: Apr 15, 2026, 6:34 PM

Updated: Apr 15, 2026, 6:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

6.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

6.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenText RightFax Deserialization Vulnerability Allowing Object Injection

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating