CVE-2026-26333
published 2026-02-13CVE-2026-26333: Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.93%
56.1th percentile
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calero | verasmart | < 2022 R1 | 2022 R1 |
| calero | verasmart | < 2022.0 | 2022.0 |
| calero | verasmart | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_oracle5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m4w4-g5c5-j4f4: Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated
ghsa_unreviewed·2026-02-13
CVE-2026-26333 [CRITICAL] CWE-306 GHSA-m4w4-g5c5-j4f4: Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB au
Oracle
Oracle Oracle Communications Risk Matrix: Platform (BSAFE Crypto-J) — CVE-2025-26333
vendor_oracle·2026-01-15·CVSS 5.9
CVE-2025-26333 [MEDIUM] Oracle Oracle Communications Risk Matrix: Platform (BSAFE Crypto-J) — CVE-2025-26333
Oracle Oracle Communications Risk Matrix: Platform (BSAFE Crypto-J) vulnerability
CVE: CVE-2025-26333
CVSS: 5.9
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-13
Published