Vulnerability in FreeScout Poses Serious Security Risks
A newly identified vulnerability, known as CVE-2026-28289, has emerged within the open-source help desk platform FreeScout. This vulnerability potentially enables cybercriminals to seize control of affected servers merely by dispatching a specially crafted email to a FreeScout mailbox.
Understanding FreeScout
FreeScout is a widely used open-source help desk and shared inbox platform that facilitates customer support management for various businesses and teams. Developed using PHP (Laravel) and MySQL, the system is designed for self-hosting. Organizations can deploy it on premises, a cloud server, or a virtual private server, offering them flexibility in customer interaction management.
Circumvention of Security Measures
CVE-2026-28289 serves as a significant bypass of the earlier patch for CVE-2026-27636, which had been addressed in FreeScout version 1.8.206. The original vulnerability was rooted in limitations in the file upload restrictions of the platform, notably omitting critical files such as .htaccess and .user.ini. The absence of these files in the restriction list created an avenue for exploitation.
The .htaccess files are critical for configuring behavior on Apache-based web servers at a directory level, while .user.ini files permit users to adjust PHP settings per application and directory. Research conducted by OX Security yielded alarming insights regarding the nature of this vulnerability, establishing that on Apache servers configured with AllowOverride All, an authenticated user could manipulate the system by uploading a .htaccess file. This potentially redefines how server files are processed, leading to Remote Code Execution (RCE).
How It Works: The Research Findings
In their investigative efforts, the OX Security team unearthed that the mitigation for CVE-2026-27636 attempted to thwart hazardous file uploads. It did so by appending an underscore to filenames deemed dangerous due to their extensions or those starting with a period (.). However, during a thorough code review, the researchers discovered a means to bypass this file extension validation by prepending a Zero-Width Space character (Unicode U+200B) to the filename.
The uniqueness of this character is that it remains invisible to users during the primary validation step. Consequently, this allows the filename to sidestep the validation that blocks names commencing with a period. Following this initial check, the U+200B character is stripped from the filename, which permits the file to be recorded as a legitimate dotfile, circumventing the security measures in place.
Furthermore, the research team devised a method to exploit CVE-2026-28289 remotely. This can be executed without authentication or user engagement by simply sending an email that contains a malicious .htaccess file along with a web shell to a FreeScout-configured mailbox, effectively compromising the server.
Implications of Exploitation
Once the exploit is successfully enacted, the malicious payload written to the disk on the FreeScout server becomes accessible to attackers via the server’s web GUI. Since the file’s storage location is predictable, attackers can use this access to execute commands remotely, leading to serious security implications.
Action Steps for Users
As noted by the researchers from OX Security, the Shodan search engine currently reveals approximately 1,100 publicly exposed FreeScout instances. While it remains uncertain whether all these deployments are susceptible to CVE-2026-28289, those that are could face severe risks, including system takeover and potential data exfiltration. Sensitive information such as helpdesk tickets and mailbox contents could be compromised, and attackers might use the infiltrated system to propagate through the local network.
The researchers reported detecting exposed FreeScout deployments across various sectors, including public health, technology providers, financial services, and media organizations. However, they have opted to withhold specific identifying details to minimize risks for the affected parties.
Organizations currently utilizing FreeScout for their customer support activities, particularly those running it on Apache Server and without recent updates, are strongly urged to upgrade to version 1.8.207 immediately. Additionally, disabling the AllowOverride All setting in the Apache configuration on FreeScout servers will bolster security.
Cybersecurity is an ever-evolving landscape, making awareness and proactive measures crucial. It is imperative for organizations to remain vigilant and inform themselves of potential vulnerabilities in the software they rely on. For up-to-date information, one may consider subscribing to cybersecurity news alerts to stay on top of the latest incidents and protect their systems effectively.