{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21665", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-02T15:00:02.871Z", "datePublished": "2026-02-23T22:34:39.632Z", "dateUpdated": "2026-02-25T16:07:57.615Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Fiserv", "product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "versions": [{"version": "2021.2.4", "status": "affected", "lessThan": "2021.2.4", "versionType": "custom"}]}], "references": [{"url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "metrics": [{"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "Omar Crespo, Pentester, GM Sectec, Corp.", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-02-23T22:34:39.632Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T16:06:30.487851Z", "id": "CVE-2026-21665", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:07:57.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T16:06:30.487851Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:07:49.184Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "finder", "value": "Omar Crespo, Pentester, GM Sectec, Corp."}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Fiserv", "product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "versions": [{"status": "affected", "version": "2021.2.4", "lessThan": "2021.2.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-02-23T22:34:39.632Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21665", "state": "PUBLISHED", "dateUpdated": "2026-02-25T16:07:57.615Z", "dateReserved": "2026-01-02T15:00:02.871Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-02-23T22:34:39.632Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\r\n\r\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments."}, {"lang": "es", "value": "El componente Print Service de Fiserv Originate Loans Peripherals (anteriormente Velocity Services) en la versi\u00f3n no compatible 2021.2.4 (compilaci\u00f3n 4.7.3155.0011) utiliza canales TCP de .NET Remoting obsoletos que permiten la deserializaci\u00f3n insegura de datos no confiables. Cuando estos servicios est\u00e1n expuestos a una red no confiable en una implementaci\u00f3n gestionada por el cliente, un atacante no autenticado puede lograr la ejecuci\u00f3n remota de c\u00f3digo. La versi\u00f3n 2021.2.4 ya no es compatible con Fiserv. Los clientes deben actualizarse a una versi\u00f3n actualmente compatible (2025.1 o posterior) y asegurarse de que los puertos del servicio .NET Remoting no est\u00e9n expuestos m\u00e1s all\u00e1 de los l\u00edmites de la red confiable.\n\nEste CVE documenta el comportamiento observado en una implementaci\u00f3n alojada por el cliente que ejecuta una versi\u00f3n heredada no compatible de Originate Loans Peripherals con puertos de .NET Remoting expuestos a una red no confiable. Esta no es una configuraci\u00f3n predeterminada o compatible. Los clientes que ejecutan versiones heredadas deben actualizarse a una versi\u00f3n actualmente compatible y asegurarse de que los puertos de .NET Remoting est\u00e9n restringidos a segmentos de red confiables. El hallazgo no se aplica a entornos alojados por Fiserv."}], "id": "CVE-2026-21665", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-02-23T23:16:15.710", "references": [{"source": "support@hackerone.com", "url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2021.2.4,2021.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Originate Loans Peripherals (formerly Velocity Services) -- Print Service component", "source": "cna", "vendor": "Fiserv"}, "product": "originate_loans_peripherals_(formerly_velocity_services)_--_print_service_component", "vendor": "fiserv"}], "analysis": {"en": {"generated_at": "2026-04-17T16:10:19.757097+00:00", "value": {"mitigation_remediation": ["Upgrade Fiserv Originate Loans Peripherals to a supported release (2025.1 or later).", "Disable or close all .NET Remoting TCP service ports to prevent exposure to external networks.", "Configure firewalls or network segmentation to restrict remoting port access to trusted internal segments only."], "summary": {"action": "Upgrade", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected customers are those running the unsupported 2021.2.4 build of the Print Service component. The product is part of Fiserv Originate Loans Peripherals, formerly Velocity Services. No supported releases initially used the same insecure mechanisms; customers should move to version 2025.1 or later, which no longer exposes the insecure .NET Remoting channels.", "description_and_impact": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) 2021.2.4 uses deprecated .NET Remoting TCP channels that perform unsafe deserialization of untrusted data. This weakness allows an unauthenticated attacker to execute arbitrary code on the affected host. The vulnerability is a direct consequence of the insecure deserialization flaw identified by CWE-502, and it can compromise confidentiality, integrity, and availability of the system if exploited.", "risk_and_exploitability": "The CVSS v3 score is 7.7, indicating high severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation but still possible if the service is reachable from an untrusted network. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can target exposed .NET Remoting ports from anywhere on the network; therefore, the primary attack vector is network-based remote exploitation of an unauthenticated service."}}}}, "created": "2026-02-24T09:54:36.163080+00:00", "title": "Remote Code Execution via Insecure .NET Remoting in Unsupported Originate Loans Peripherals", "updated": "2026-04-17T16:15:22.646818+00:00", "vendors": ["fiserv", "fiserv$PRODUCT$originate_loans_peripherals_(formerly_velocity_services)_--_print_service_component"]}