ASNA Products Deserialization Vulnerability in .NET Remoting Allowing Privilege Escalation and Code Execution

A deserialization vulnerability has been identified in ASNA Assist and ASNA Registrar versions prior to 2025-03-31. This issue affects several ASNA products, including DataGate for SQL Server, DataGate Component Suite, DataGate Monitor, DataGate WebPak, Monarch for .NET, Encore RPG, Visual RPG .NET Framework, WingsRPG, Mobile RPG, Monarch Framework for .NET Framework, Browser Terminal, Visual RPG Classic, Visual RPG Deployment, and DataGate Studio. All these products are vulnerable to deserialization attacks via .NET remoting, a technology that can be exploited using well-known deserialization techniques. The vulnerability is particularly concerning because the affected services run with SYSTEM-level rights, allowing for exploitation that could lead to unauthorized privilege escalation and arbitrary code execution.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation and arbitrary code execution, given that the affected services operate with SYSTEM-level rights.

Remediation

Users are advised to update to ASNA products version 2025-03-31 or later. For more information, visit the ASNA security update page.