CVE-2026-28289
published 2026-03-03CVE-2026-28289: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and…
PriorityP274high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
31.14%
98.0th percentile
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freescout | freescout | < 1.8.207 | 1.8.207 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect email attachments with a Zero-Width Space (U+200B) character prefix in the filename, particularly those with a .htaccess base name, delivered to FreeScout-configured mailboxes via SMTP/IMAP/POP3. ↗
- →Alert on HTTP requests to paths under the FreeScout storage/app/ (storage:link) directory that result in PHP code execution, which would indicate a successfully uploaded malicious .htaccess using SetHandler. ↗
- →The exploit is zero-click and unauthenticated — no user interaction is required. Treat any unexpected .htaccess file appearing in FreeScout attachment directories as a high-severity indicator of compromise. ↗
- ·This is a patch bypass for CVE-2026-27636. The TOCTOU flaw means the dot-prefix check in sanitizeUploadedFileName() fires before invisible Unicode characters (ZWSP U+200B) are stripped, so the original CVE-2026-27636 fix is fully bypassed. ↗
- ·The vulnerability affects all FreeScout versions up to and including 1.8.206. The fix is in version 1.8.207. Patching alone may be insufficient without also disabling Apache AllowOverrideAll. ↗
- ·The Metasploit module description labels this 'Unauthenticated RCE' but the NVD/vendor advisory states it requires 'any authenticated user with file upload permissions'. The zero-click email delivery path (sending a crafted email to a FreeScout mailbox) is what enables unauthenticated exploitation. ↗
- ·Exploitation via the email delivery vector requires the IMAP/POP3 cron job to run (typically every 60 seconds) before the malicious .htaccess is stored and accessible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Rapid7
Metasploit Wrap-Up 04/03/2026
blogs_rapid7·2026-04-03·CVSS 8.1
[HIGH] Metasploit Wrap-Up 04/03/2026
## Additional Adapters and More Modules
This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into!
New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks!
Thanks to g0tmi1k , Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for
Bleepingcomputer
Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
blogs_bleepingcomputer·2026-03-04·CVSS 8.8
CVE-2026-28289 [HIGH] Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
## Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
## Bill Toulas
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication.
The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue ( CVE-2026-27636 ) that could be exploited by authenticated users with upload permissions.
Researchers at OX Security, a company that secures applications from code to runtime, say that an attacker can exploit the new vulnerability by "sending a single crafted email to any address configured in FreeScout."
According to them, the fix attempted to block dangerous file uploads by modifying filenames with restricted extensions or
2026-03-03
Published