Hyland OnBase Unauthenticated .NET Remoting Vulnerability in Workflow Timer Service Allowing Remote Code Execution

Vulnerability

A vulnerability exists in Hyland OnBase Workflow Timer Service versions 8.0 through 17.0.x, as well as the Workview Timer Service, allowing unauthenticated .NET Remoting access. An attacker can send crafted requests to default HTTP channel endpoints on TCP port 8900, such as TimerServiceAPI.rem and TimerServiceEvents.rem, to exploit unsafe object unmarshalling. This vulnerability enables arbitrary file read and write operations. By injecting malicious content into web-accessible locations or combining this exploit with other OnBase functionalities, an attacker could achieve remote code execution. Additionally, this vulnerability can be exploited by providing a UNC path to manipulate outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Impact

Exploitation of this vulnerability could lead to remote code execution on the affected system.

Added: Feb 13, 2026, 4:55 PM

Updated: Feb 13, 2026, 11:15 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

7.1

remediation

8.3

relevance

3.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

7.1

remediation

8.3

relevance

3.1

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hyland OnBase Unauthenticated .NET Remoting Vulnerability in Workflow Timer Service Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

Hyland OnBase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating