Critical FreeScout Vulnerability Leads to Full Server Compromise: Protect Your Network
A Critical Vulnerability in FreeScout Allows for Zero-Click Remote Code Execution
A recently discovered vulnerability in the open-source help desk and shared mailbox solution FreeScout has been found to allow for zero-click remote code execution (RCE) attacks. The vulnerability, tracked as CVE-2026-28289, has been assigned a CVSS score of 10/10, indicating a critical severity level.
The Vulnerability
The vulnerability is a patch bypass for CVE-2026-27636, a high-severity authenticated RCE bug that was recently fixed. The initial issue allowed an authenticated attacker to upload a .htaccess file, tampering with file processing and achieving RCE. However, the patch for the initial CVE can be bypassed using a zero-width space character, which is invisible and passes the dot-check, resulting in a valid .htaccess filename being saved to disk.
Exploitation and Impact
The attack can be carried out by sending a malicious email to a mailbox configured in FreeScout, requiring no authentication or user interaction. The malicious payload is written to disk on the FreeScout server and can then be leveraged to execute commands remotely. An attacker can predict where the file will be saved on the disk, allowing them to access the payload and execute commands on the server.
Successful exploitation of the vulnerability could allow attackers to take full control of vulnerable servers, exfiltrate helpdesk tickets, mailbox content, and other sensitive data from FreeScout, and potentially move laterally to other systems on the network. All FreeScout 1.8.206 installations are affected when running on Apache with AllowOverride All enabled, a common configuration.
Mitigation
The vulnerability was resolved in FreeScout version 1.8.207, and users are advised to update their deployments as soon as possible.
About Author
English