Mail2Shell FreeScout Patch Bypass Exploit Enables Remote Code Execution Vulnerability
Mail2Shell Vulnerability Discovered in FreeScout
A bypass exploit for a previously patched vulnerability in the open-source help desk and shared inbox platform FreeScout has been discovered, allowing attackers to achieve remote code execution (RCE).
Background
The vulnerability, dubbed “Mail2Shell,” was identified by Ox Security and assigned the identifier CVE-2026-28289. FreeScout, a self-hosted alternative to Zendesk and Help Scout, had previously patched a high-severity vulnerability (CVE-2026-27636) that allowed any authenticated user to achieve RCE.
Vulnerability Details
However, Ox Security found that by using a zero-width space character (U+200B) at the beginning of a file name, they could bypass the patch and still upload files that would allow them to overwrite the “.htaccess” configuration file. This would enable them to add a configuration to treat .txt files as runnable PHP, allowing them to upload a .txt file that would enable command execution.
Impact and Mitigation
The vulnerability was patched by FreeScout on February 27, 2026. However, the patch did not fully address the issue, as it only disallowed the upload of files with certain extensions and files that start with a dot (i.e., dotfiles like .htaccess). The use of a zero-width space character at the beginning of a file name allowed attackers to bypass this restriction.
Escalation and Exposure
The vulnerability could also be escalated from an authenticated RCE to an unauthenticated RCE on internet-exposed FreeScout instances. A remote attacker could potentially achieve this by sending an email with malicious attachments to a mailbox configured in FreeScout. This would cause the files to be uploaded to a predictable path that the attacker could then access to run PHP and execute commands.
According to Ox Security, a Shodan search revealed approximately 1,100 publicly exposed FreeScout instances across various industries, including public health, technology, financial services, and news organizations.
Recommendation
To fully patch the vulnerability, FreeScout users must upgrade to version 1.8.207 or later, as the previously patched version 1.8.206 is still vulnerable to CVE-2026-28289.
CVSS Score
The National Institute of Standards and Technology (NIST) assessed the flaw at a CVSS score of 7.5 in the National Vulnerability Database (NVD), while FreeScout originally assigned a CVSS score of 10 via GitHub.
About Author
English