Executive Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-23751) has been disclosed in Kofax Capture, now rebranded as Tungsten Capture by Tungsten Automation. The vulnerability carries a CVSS score of 9.8 and affects at minimum version 6.0.0.0, with other versions potentially impacted.
The root cause is the exposure of a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service. This channel is accessible without authentication and uses a default, publicly known endpoint identifier. An unauthenticated remote attacker can connect to this channel and execute arbitrary code on the server, gaining full control of systems running the Ascent Capture Service.
Organizations running Kofax/Tungsten Capture should immediately restrict access to port 2424 and apply available vendor patches or mitigations.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-23751 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-287 — Improper Authentication / CWE-749 — Exposed Dangerous Method |
| Type | Unauthenticated Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Exposed Port | 2424/TCP |
| Patch Available | Consult vendor advisory |
Affected Versions
| Product | Affected Versions | Notes |
|---|---|---|
| Kofax Capture | 6.0.0.0 | Other versions may be affected |
| Tungsten Capture | 6.0.0.0 | Rebranded name for same product |
| Ascent Capture Service | Included in above | Service that exposes the channel |
Technical Analysis
Root Cause
The Ascent Capture Service component of Kofax/Tungsten Capture exposes a legacy .NET Remoting HTTP channel on TCP port 2424. .NET Remoting is a deprecated Microsoft framework superseded by WCF and gRPC. The channel:
- Requires no authentication to connect
- Uses a default, publicly documented endpoint identifier rather than a custom or secret endpoint
- Allows arbitrary remote method invocation on registered objects
The combination of no authentication, known endpoint, and the inherent code execution risks of unauthenticated .NET Remoting method invocation allows any network-accessible attacker to execute arbitrary code in the context of the Ascent Capture Service process.
.NET Remoting Attack Surface
.NET Remoting channels expose registered server-side objects for remote method invocation. With no authentication requirement and a known endpoint, an attacker can:
- Instantiate remote objects
- Invoke methods on those objects
- Supply attacker-controlled parameters including serialized objects
- Trigger code execution via method invocation or object deserialization
Attack Flow
1. Attacker scans for TCP port 2424 on reachable hosts
2. Identifies systems running Kofax/Tungsten Capture Ascent Capture Service
3. Connects to the .NET Remoting HTTP channel using the known default endpoint
4. No credentials required — channel accepts unauthenticated connections
5. Attacker invokes methods on remote objects or sends crafted serialized payloads
6. Code executes in the context of the Ascent Capture Service process
7. Attacker achieves full system compromise with service account permissionsExploitation Conditions
- Kofax/Tungsten Capture 6.0.0.0 (possibly other versions) must be installed and running
- The Ascent Capture Service must be active
- TCP port 2424 must be reachable from the attacker's network position
- No credentials or prior authentication needed
Impact Assessment
| Impact Area | Description |
|---|---|
| Unauthenticated RCE | Full code execution with no credentials required |
| Document Capture Data | Access to scanned documents, OCR output, forms data, and metadata |
| Credential Theft | Access to service account credentials and environment-stored secrets |
| Lateral Movement | Service account permissions can enable further network access |
| Persistent Access | Attacker can install backdoors within the service context |
| Regulatory Exposure | Document capture systems often handle regulated data (healthcare, finance, legal) |
| Business Disruption | Service manipulation or shutdown impacts document processing workflows |
Immediate Remediation
Step 1: Block Port 2424 at the Firewall
As an immediate mitigation, restrict access to TCP port 2424 to only required internal systems:
# Linux/iptables — block external access to port 2424
iptables -I INPUT -p tcp --dport 2424 -j DROP
iptables -I INPUT -p tcp --dport 2424 -s 10.0.0.0/8 -j ACCEPT
# Windows Firewall — block inbound on port 2424 except trusted hosts
netsh advfirewall firewall add rule name="Block Kofax 2424" protocol=TCP dir=in localport=2424 action=blockStep 2: Disable the Ascent Capture Service if Not Required
# Windows — stop and disable the service if not actively in use
sc stop "AscentCaptureService"
sc config "AscentCaptureService" start= disabled
# Verify
sc query "AscentCaptureService"Step 3: Apply Vendor Patch
Consult the Tungsten Automation security advisories and apply the latest available patch for Kofax/Tungsten Capture. If no patch is yet available, maintain the firewall restriction as a compensating control.
Step 4: Audit for Prior Compromise
# Review Ascent Capture Service process for unusual child processes
Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq (Get-Process "AscentCaptureService" -ErrorAction SilentlyContinue).Id }
# Check for unexpected scheduled tasks or service modifications
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-30) }
Get-Service | Where-Object { $_.StartType -eq "Automatic" } | Sort-Object NameDetection Indicators
| Indicator | Description |
|---|---|
| Inbound connections to TCP/2424 from unexpected sources | Exploitation or scanning in progress |
| Unusual processes spawned by AscentCaptureService | Post-exploitation activity |
| New scheduled tasks or services created recently | Persistence installation |
| Outbound connections from AscentCaptureService to external IPs | C2 communication or exfiltration |
| Service account used for unusual network activity | Lateral movement attempt |
Post-Remediation Checklist
- Block TCP port 2424 from all non-essential network segments immediately
- Apply available vendor patches for Kofax/Tungsten Capture
- Disable the Ascent Capture Service if not operationally required
- Audit running services and processes for evidence of compromise
- Review recent logs for unexpected connections to port 2424
- Rotate credentials for the Ascent Capture Service account
- Scan affected systems for persistence mechanisms
- Assess whether other versions of the product are also affected
- Monitor port 2424 for continued access attempts after mitigation