Seagull Software BarTender 2010

Per the user-provided intel, BarTender 2010, 2016, and 2019 expose an unauthenticated remote code execution flaw in a .NET Remoting service. In plain terms, a network client can talk to a legacy remoting endpoint and feed it untrusted serialized data, which is a class of bug Microsoft explicitly warns can lead to DoS, information disclosure, or RCE when BinaryFormatter-style deserialization crosses a trust boundary. BarTender is a Windows-centric labeling/printing platform with multiple companion services, and vendor documentation shows several network-facing BarTender services and ports in 2019-era deployments.

The vendor's 9.8/CRITICAL label is technically defensible if an attacker can directly reach the vulnerable remoting service. In enterprise reality, though, BarTender usually sits on an internal print, integration, or license host rather than a public edge system, so the decisive friction is attacker position: this is more often a post-initial-access lateral movement primitive than a day-one internet spray target. That drops it out of top-tier emergency territory, but not by much, because once reachable it is unauthenticated, low-complexity, and likely service-context code execution on infrastructure that can disrupt production labeling and printing.

Why this verdict

• Start at the vendor's 9.8 baseline because a reachable unauthenticated remoting deserialization bug is legitimately severe in a vacuum
• Attacker position pulls it down: this usually requires internal network reachability to a BarTender server, which implies post-compromise lateral movement or unusually poor exposure
• Reachable population is limited: BarTender is enterprise software on specialized Windows hosts, not a mass internet-facing platform; many environments will have only a handful of such servers
• Modern controls should block some paths to Step 1: segmentation, Windows Firewall, and server VLAN boundaries materially reduce who can touch the service ports
• It stays HIGH because exploitation is still pre-auth once reachable: no user click, no credentials, and likely code execution in a service context on operational infrastructure

Why not higher?

There is no KEV listing, no reviewed evidence of live campaigns, and no public vendor-backed exploitation bulletin for this CVE at assessment time. More importantly, the most common prerequisite is internal reachability to a niche Windows application server, which sharply narrows victim exposure compared with true internet-edge CRITICALs.

Why not lower?

This is still unauthenticated network-triggered code execution against a server-side service. If an attacker can see the host, the exploitation path is short, and the impact on centralized labeling or print infrastructure can be operationally serious.

1. Restrict BarTender service ports — Apply host firewall and network ACL rules so only approved management, integration, and BarTender client subnets can reach TCP 5150, 5160, 7375 and UDP 7371. For a HIGH verdict, deploy this compensating control within 30 days.
2. Isolate legacy BarTender servers — Move BarTender 2010/2016/2019 hosts into dedicated server VLANs or micro-segmented groups with tightly defined east-west policy. This cuts off the most realistic abuse path—lateral movement from a compromised workstation—and should be in place within 30 days.
3. Disable unused BarTender services — If Integration, Licensing, or System services are not needed on a given node, stop them and set startup to manual/disabled after application-owner validation. Shrinking the running service set is one of the fastest ways to reduce exposure and should be completed within 30 days.
4. Hunt for BarTender child-process abuse — Create EDR detections for powershell.exe, cmd.exe, wscript.exe, cscript.exe, mshta.exe, rundll32.exe, or suspicious network egress spawned by BarTender services. This does not prevent exploitation, but it improves containment and should be deployed within 30 days.
5. Constrain service account privileges — Review the logon identity and rights for BarTender services; remove local admin where not strictly required and deny unnecessary network access. This limits blast radius after exploitation and should be implemented within 30 days.

Run this on the target Windows host where BarTender may be installed: powershell -ExecutionPolicy Bypass -File .\Check-CVE-2026-25550.ps1. Local administrator is recommended so the script can inspect services, uninstall data, and listening ports reliably; standard user often works but may return UNKNOWN on locked-down systems.

#requires -version 5.1
[CmdletBinding()]
param()

# Check-CVE-2026-25550.ps1
# Purpose: Best-effort local exposure check for BarTender 2010/2016/2019 remoting-related risk.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

$ErrorActionPreference = 'SilentlyContinue'

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )
    foreach ($p in $paths) {
        Get-ItemProperty $p | Where-Object { $_.DisplayName -match 'BarTender' } | Select-Object DisplayName, DisplayVersion, InstallLocation, Publisher
    }
}

function Get-BarTenderServices {
    Get-Service | Where-Object {
        $_.Name -match 'BarTender|Seagull|Maestro' -or $_.DisplayName -match 'BarTender|Seagull|Maestro'
    } | Select-Object Name, DisplayName, Status, StartType
}

function Get-ListeningEvidence {
    $tcpPorts = 5150,5160,7375
    $udpPorts = 7371

    $tcp = @()
    if (Get-Command Get-NetTCPConnection -ErrorAction SilentlyContinue) {
        $tcp = Get-NetTCPConnection -State Listen | Where-Object { $tcpPorts -contains $_.LocalPort }
    } else {
        $tcp = netstat -na | Select-String -Pattern 'LISTENING' | Select-String -Pattern ':(5150|5160|7375)\s'
    }

    $udp = @()
    if (Get-Command Get-NetUDPEndpoint -ErrorAction SilentlyContinue) {
        $udp = Get-NetUDPEndpoint | Where-Object { $udpPorts -contains $_.LocalPort }
    } else {
        $udp = netstat -na | Select-String -Pattern ':(7371)\s'
    }

    [PSCustomObject]@{
        Tcp = $tcp
        Udp = $udp
    }
}

$entries = @(Get-UninstallEntries)
$services = @(Get-BarTenderServices)
$listeners = Get-ListeningEvidence

$foundAffected = $false
$foundClearlyNewer = $false
$details = @()

foreach ($e in $entries) {
    $name = [string]$e.DisplayName
    $ver  = [string]$e.DisplayVersion
    $details += "$name [$ver]"

    if ($name -match '2010|2016|2019') {
        $foundAffected = $true
        continue
    }

    if ($name -match '2021|2022|11\.4|11\.5|11\.8|11\.11|12') {
        $foundClearlyNewer = $true
        continue
    }
}

$runningRelevant = $services | Where-Object { $_.Status -eq 'Running' }
$hasPortEvidence = (($listeners.Tcp | Measure-Object).Count -gt 0) -or (($listeners.Udp | Measure-Object).Count -gt 0)

Write-Host '--- BarTender CVE-2026-25550 local check ---'
if ($details.Count -gt 0) {
    Write-Host ('Installed entries: ' + ($details -join '; '))
} else {
    Write-Host 'Installed entries: none found via standard uninstall registry paths'
}

if (($services | Measure-Object).Count -gt 0) {
    Write-Host 'Services:'
    $services | Format-Table -AutoSize | Out-String | Write-Host
} else {
    Write-Host 'Services: none matched BarTender/Seagull patterns'
}

Write-Host ('Port evidence present: ' + $hasPortEvidence)

if ($foundAffected) {
    Write-Host 'VULNERABLE'
    if (-not $hasPortEvidence) {
        Write-Host 'Note: affected version found, but no expected listening ports were observed during this check. Exposure may still depend on service state/configuration.'
    }
    exit 1
}
elseif ($foundClearlyNewer -and -not $foundAffected) {
    Write-Host 'PATCHED'
    exit 0
}
elseif (($entries | Measure-Object).Count -eq 0 -and ($services | Measure-Object).Count -eq 0) {
    Write-Host 'PATCHED'
    Write-Host 'Note: BarTender does not appear to be installed on this host.'
    exit 0
}
else {
    Write-Host 'UNKNOWN'
    Write-Host 'Note: could not confidently map installed product/version to the affected set.'
    exit 2
}

Sources

1. Seagull: What Are the Primary Network Ports Used by BarTender?
2. Seagull: Automating BarTender
3. Seagull: Do I Have to Install SQL Server Express for BarTender to Work?
4. Seagull: Updating to the Current Version of BarTender
5. Seagull: Seagull Software Technical Support Guidelines
6. Microsoft Learn: BinaryFormatter security guide
7. FIRST: EPSS data and stats
8. CISA: Known Exploited Vulnerabilities Catalog