iba ibaPDA / ibaDatCoordinator .NET Deserialization Remote Code Execution

Critical

Synopsis

A .NET deserialization vulnerability exists in iba ibaPDA and ibaDatCoordinator. An unauthenticated remote attacker can exploit it to achieve remote code execution.

The ibaPDA Server service (ibaPDAService.exe) listens on TCP port 9170 by default. Clients communicate with the server using GenuineChannels, which uses .NET Remoting. Messages sent to the server are deserialized using BinaryFormatter. GenuineChannels uses Zyan.SafeDeserializationHelpers.dll to filter BinaryFormatter payloads, but the filter only blocks a small set of gadgets (e.g., PSObject, TypeConfuseDelegate) and fails to block many other publicly known BinaryFormatter gadgets. ibaDatCoordinator uses the same vulnerable communication stack.

Solution

Upgrade ibaPDA to version 8.14.0 or later. Upgrade ibaDatCoordinator to version 4.0.7 or later.

Proof of Concept

// Generate a BinaryFormatter payload
ysoserial.exe -f BinaryFormatter -g AxHostState -c "notepad.exe" -o hex > AxHostState.hex

// Run PoC with the BinaryFormatter payload
python3 ibaPdaServer_deserialization_rce.py -t <target-host> -p 9170 -f AxHostState.hex

Additional References

https://certvde.com/en/advisories/VDE-2026-051
https://www.iba-ag.com/en/security/iba-2026-08

Disclosure Timeline

March 23, 2026 - Tenable sends first contact request to iba.
April 2, 2026 - Tenable sends second contact request.
April 15, 2026 - Tenable sends third and final contact request via email, reaches out to a security contact via Keybase, and submits a request via the iba website support form.
April 15, 2026 - iba responds via Keybase.
April 16, 2026 - iba responds via email. Tenable sends disclosure details.
April 17, 2026 - iba acknowledges receipt.
May 5, 2026 - iba advises a fix is available and offers it for testing.
May 19, 2026 - iba indicates they plan to publish on June 3.
May 22, 2026 - Tenable inquires about a date discrepancy.
May 26, 2026 - iba confirms the planned publication date is June 17.
May 27, 2026 - Tenable acknowledges.
June 15, 2026 - iba advises a change in the fix version number. Tenable acknowledges.
June 17, 2026 - Coordinated public disclosure.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]