cbcvebase.
CVE-2026-26335
published 2026-02-13

CVE-2026-26335: Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.81%
84.7th percentile
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.

Affected

3 ranges
VendorProductVersion rangeFixed in
caleroverasmart< 2022 R12022 R1
caleroverasmart< 2022.02022.0
caleroverasmart

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for suspicious ASP.NET ViewState submissions that pass MAC/integrity validation but originate from unexpected sources — this may indicate use of stolen machineKey values to craft malicious ViewState payloads for deserialization RCE.
  • ·DOC 2 (exploit-db.com/exploits/52540) describes a Path Traversal vulnerability in Repetier-Server 1.4.10 and is NOT related to CVE-2026-26335 (Calero VeraSMART machineKey/ViewState RCE). The CVE number appears to have been misassigned or mislabeled in that source. No IOCs from DOC 2 were extracted for this CVE.
  • ·The vulnerability affects Calero VeraSMART versions prior to 2022 R1 only. Patched versions (2022 R1 and later) are not affected, as the static machineKey issue is resolved in that release.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.