Unauthenticated Takeover in Label Software BarTender (CVE-2026-25550): Legacy 2010/2016/2019 at Risk

An older generation of BarTender — the software used worldwide in factories, warehouses, and logistics to print product labels and shipping barcodes — has a flaw rated 9.8 out of 10. It is CVE-2026-25550, and it affects BarTender 2010, 2016, and 2019 — all versions from several years ago.

What makes it frightening is that the target PC can be taken over over the network with no login at all. And the component used to do it runs with Windows' highest privilege (SYSTEM), so once an attacker is in, the whole machine is theirs. The security firm VulnCheck, which found the flaw, published the technical details on June 4, 2026. The more actively a machine is used for label printing, the more it needs checking.

What happens, in one line

In short, this was a state where a reception window anyone can talk to runs anything it is handed, without checking who sent it. Older BarTender includes a background service (the BarTender System Service) that accepts commands over the network and listens on the PC's port 7375. That window was meant for internal coordination, but it never verified who the caller was, and it trusted and processed whatever data arrived.

An attacker only has to send crafted data to that window to run any program of their choice on the target PC. According to VulnCheck's writeup, it goes beyond running programs: it can read and write files and steal Windows login data (the authentication data known as NTLMv2). Stolen login data then becomes a foothold for breaking into other servers on the same internal network.

CVE-2026-25550: from an unverified window to a highest-privilege takeover

Formally, it is a combination of CWE-306 (missing authentication for a critical function) and CWE-502 (unsafe deserialization of untrusted data). The U.S. National Vulnerability Database (NVD) assigned a high severity of 9.8 on CVSS 3.1 and 9.3 on the newer CVSS 4.0. The only condition for attack is network access — no login and no user interaction. Because the service running the window operates with Windows' highest privilege (NT AUTHORITY\SYSTEM), a takeover hands over full control of the PC, the worst kind of flaw.

What is BarTender, anyway?

BarTender, made by the U.S. company Seagull Scientific, is software for designing and printing labels, barcodes, RFID tags, and membership cards. Because it prints fixed-format labels in large volumes and accurately, it is widely used wherever goods are made and shipped: manufacturing shipping labels, warehouse inventory, food and pharmaceutical markings, and retail price tags. It has sales and support presence in many regions, with plenty of deployments in factories and distribution centers.

A trait of this kind of operational software is that once it works, it keeps running for a long time. Because label formats and printer settings are carefully built, plenty of sites keep running a years-old version under the "if it works, don't touch it" rule. BarTender 2010, 2016, and 2019 — the versions affected here — are exactly such "old releases still running in production." The very convenience that delays updates is what lets a vulnerability linger.

At the center of the problem is a background program bundled with BarTender, the "BarTender System Service." To coordinate label printing across multiple PCs, it exchanges commands over the network, and it opens and listens on the PC's port 7375 without the user being aware of it. Normally it is a handy coordination mechanism, but because that reception had no identity check, it became a direct way in.

The essentials in one minute

Before the details, here are the key points. The checks are simple: is your BarTender one of 2010, 2016, or 2019, and is port 7375 reachable from outside or from other machines?

"Reconstructing data handed in from outside without checking it" is not a new class of flaw. Recently, the communication framework Apache MINA's deserialization RCE worked the same way, and the file-sharing service Samba's unauthenticated RCE overlaps on the "missing identity check" point. What is different is that with BarTender the stage is a manufacturing or logistics floor that cannot be allowed to stop.

When a machine that just prints labels becomes the way into a factory's highest privilege

The number "9.8" may not make it obvious what is lost when label-printing software is taken over, so let's first picture who would actually target this hole and why. BarTender does not run on an ordinary office PC; it runs on a machine right beside the production line or shipping dock that is not allowed to stop. Once that can be seized at the highest privilege, it is clear who comes for it.

The people coming for it are the crime groups that hit factories and logistics warehouses with ransomware, the operators of scan bots that automatically hunt for a port 7375 exposed to the internet, and the intruders who slip into a factory LAN posing as a supplier or maintenance contractor. What they gain is not abstract "data." It is the Windows machine itself running at the highest privilege, a foothold into the production-management system and file servers on the same network, the stolen Windows login data, and the power to rewrite what shipping labels say. The moment crafted data is thrown at port 7375, a machine that only printed labels turns into the way into the factory's entire Windows estate.

Technically, what makes this flaw a poor fit for manufacturing and logistics is that the damage does not stop at one machine. The login data stolen on the seized machine becomes the key to entering other internal servers with a legitimate face. From there, attackers spread sideways into production-management or core servers, hold the whole thing hostage with ransomware, or rewrite barcodes on shipping labels to cause misshipments and break traceability records. When a line stops, losses pile up by the hour, and if mislabeled pharmaceuticals or food reach the market, recalls and lost trust are a separate kind of harm waiting.

The label "CVSS 9.8" only marks the ceiling of technical severity. For a manufacturing or logistics floor, what is really lost is the uptime of a line that must not stop, the accuracy of shipments, and the safety of the entire internal network. A humble label-printing machine can be the shortest path to the heart of a factory — and that fact is more pressing than any number.

Why it happened, technically

According to VulnCheck's advisory, the root cause lies in the configuration of an old communication mechanism the BarTender System Service uses, ".NET Remoting." This is a legacy, now-deprecated way for Windows apps to talk to each other over the network. The service opened this window with the most dangerous settings: "no caller verification (unauthenticated)" and "reconstruct incoming data in any form (TypeFilterLevel set to Full)."

That "reconstruct incoming data as-is" step is unsafe deserialization. An attacker crafts data that, when reconstructed, calls a program of its own accord, and sends it to port 7375. The service reconstructs it without suspicion, and the attacker's commands run with the service's privilege (SYSTEM). The window's interior was exposed as an object named "BarTenderSystem" in BarTender 2016 and "DataServiceSingleton" in 2019. With no identity check, anyone who knew that entry point could talk to it.

This "unauthenticated .NET Remoting window" is not unique to BarTender. The finder, VulnCheck, has reported the same class of flaw one after another, in the card-issuance system Entrust IFI and the management tool Barracuda RMM, showing it is a landmine lying widely dormant in older Windows business software. The pattern of running a definition handed in from outside is continuous with the AI tool Langflow's unauthenticated RCE. No public proof-of-concept exists as of June 5, 2026, but deserialization attacks are a well-known technique, so this is not one to be complacent about.

Affected versions and the response

The scope VulnCheck's advisory describes is below. All are older generations referred to by their major-version names, and they differ in architecture from the current supported line (BarTender 2022 and later).

Note that, as of the advisory, no patch is specified for the older versions. The affected 2010, 2016, and 2019 are all aging generations with dwindling vendor support, so the real fix is migrating to a supported current version (BarTender 2022 or later). If you cannot migrate quickly, blocking the traffic described below is the practical stopgap that closes the entry point. You can check your version from BarTender's Help menu or from the Windows "Add or remove programs" list.

What to do right now

The top priority is making port 7375, the attack's entry point, unreachable from outside or from other machines. Block inbound connections to TCP 7375 with the Windows firewall or your network equipment. If you do not use this service for multi-PC print coordination, the most reliable step is to stop and disable the "BarTender System Service" (BtSystem.Service.exe) from the Windows "Services" console. Even if you do use it for coordination, restrict it to a closed network among the printing machines so it cannot be reached from outside or the general office network.

On top of that, plan the migration to a supported current version as the root fix. It is also worth checking whether you have already been hit: look for records of unfamiliar connections to port 7375, suspicious process launches on the label-printing machine, and unexpected outbound traffic. In case of abuse, work on the assumption that Windows login data has already been stolen — rotate the passwords of affected accounts and trace for signs of lateral movement inside the internal network. The way stolen credentials get repurposed as a stepping stone for the next intrusion is continuous with attack chains that travel through components and software. This vulnerability is not in CISA's catalog of vulnerabilities known to be exploited (KEV) as of June 5, 2026, but there is no reason to wait for it to be listed.

Risk check for your setup

Here are the angles for quickly judging how urgently you need to act, in order of risk. Use it to prioritize your response.

Note that "safe because it is only on the internal network" does not hold. This attack is unauthenticated and over the network, so it can succeed from an intruder posing as a supplier or an attacker who gained a foothold inside by another route. Even without exposure, as long as you run an affected version, blocking 7375 and migrating to a current release are necessary. In particular, do not leave machines of unknown version untouched — check them once.

How this unfolded

Here is the timeline from discovery to disclosure. This flaw came out of a security firm's systematic study of "unauthenticated .NET Remoting windows" lingering in old Windows business software.

← swipe to move

Frequently asked questions

Q. How do I check which BarTender version I have?

A. Launch BarTender and check the version info under the Help menu. If it won't launch, check the name and version of BarTender in the Windows "Settings" → "Apps" (or "Add or remove programs") list. If it shows "2010," "2016," or "2019," it is likely affected, and you should first inspect the state of port 7375.

Q. I use the latest BarTender (2022 or 2025). Am I affected?

A. The advisory scopes this to the older 2010, 2016, and 2019 generations. The current supported line differs in architecture and is not directly in scope. That said, it is safest to keep operational software on the latest service release, so it is worth confirming that updates have not stalled.

Q. I can't migrate to a new version right away. What is the minimum?

A. Closing port 7375, the attack's entry point, is the top priority. If you do not use the BarTender System Service for multi-PC coordination, the most reliable step is to stop and disable it from the Windows "Services" console. If you do use it, restrict it to a closed network among the printing machines and block port 7375 from outside or the general office network with a firewall. This only buys time; the real fix is migrating to a current version.

Q. A machine that only prints labels gets taken over — is that really a big deal?

A. The service runs with Windows' highest privilege (SYSTEM), so a takeover seizes the whole machine. From there, attackers can move sideways into production-management systems and file servers on the same network, using it as a launch point for ransomware or credential theft. Even a "just prints labels" machine, sitting inside the factory network, has high value as an entry point.

References

• ▸ VulnCheck Advisory - Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service
• ▸ NVD - CVE-2026-25550 Detail
• ▸ MITRE CWE-502 - Deserialization of Untrusted Data
• ▸ MITRE CWE-306 - Missing Authentication for Critical Function
• ▸ Seagull Scientific (BarTender) official site
• ▸ Seagull Scientific - BarTender download portal