cbcvebase.

Calero Verasmart vulnerabilities

3 known vulnerabilities affecting calero/verasmart.

Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1

Vulnerabilities

Page 1 of 1
CVE-2026-26335P2CRITICALCVSS 9.8PoCfixed in 2022.0v2022.0+1 more2026-02-13
CVE-2026-26335 [CRITICAL] CWE-321 CVE-2026-26335: Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for t Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the appl
nvd
CVE-2026-26333P2CRITICALCVSS 9.8fixed in 2022.0v2022.0+1 more2026-02-13
CVE-2026-26333 [CRITICAL] CWE-306 CVE-2026-26333: Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on T Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the ex
nvd
CVE-2026-26334P3HIGHCVSS 7.8fixed in 2026.0v2026.0+1 more2026-02-13
CVE-2026-26334 [HIGH] CWE-798 CVE-2026-26334: Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veram Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veramark.Framework.dll (Veramark.Core.Config class). These keys are used to encrypt the password of the service account stored in C:\\VeraSMART Data\\app.settings. An attacker with local access to the system can extract the hardcoded keys from the Veramark.F
nvd
Calero Verasmart vulnerabilities | cvebase