Entrust Instant Financial Issuance .NET Remoting Vulnerability in SmartCardController Service Allowing Remote Code Execution

A vulnerability exists in Entrust Instant Financial Issuance (IFI) On-Premise software, specifically in versions 5.x, prior to 6.10.5, and prior to 6.11.1. The issue arises from an insecure .NET Remoting exposure in the SmartCardController service, which registers a TCP remoting channel with unsafe settings that allow untrusted object invocation. This vulnerability enables remote, unauthenticated attackers to access arbitrary files on the server, manipulate outbound authentication, and potentially execute remote code using established .NET Remoting exploitation methods. As a result, sensitive installation and service-account information may be disclosed, leading to a compromise of the affected host.

Impact

Exploitation of this vulnerability could result in unauthorized access to files, manipulation of authentication processes, and execution of arbitrary code on the server, causing a complete compromise of the affected system.