Insecure Remoting Exposure in Entrust Instant Financial Issuance Software
CVE-2025-34414

9.3CRITICAL

Key Information:

Vendor

Entrust Corporation

Status
Instant Financial Issuance (if)
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34414?

Entrust Instant Financial Issuance (IFI) software prior to versions 6.10.5 and 6.11.1 contains an insecure .NET Remoting exposure in its Legacy Remoting Service, which is enabled by default. This vulnerability allows a remote, unauthenticated attacker to exploit the exposed remoting objects accessible through a registered TCP remoting channel. By leveraging SOAP and binary formatters, the attacker can read arbitrary files from the server, manipulate outbound authentication, and potentially achieve arbitrary file write and remote code execution using established .NET Remoting exploitation techniques. Consequently, this could lead to the disclosure of sensitive information, including installation credentials and service account data, jeopardizing the security of the affected host.

Affected Version(s)

Instant Financial Issuance (IF) 5.x

Instant Financial Issuance (IF) 6.0 < 6.10.5

Instant Financial Issuance (IF) 6.0 < 6.11.1

References

https://www.entrust.com/products/issuance-systems/instant...
product
https://www.entrust.com/knowledgebase
product
https://www.vulncheck.com/advisories/entrust-ifi-legacy-r...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Victor A. Morales of GM Sectec, Corp.
JSON
.