Critical FreeScout Vulnerability (CVE-2026-28289) Enables Remote Server Takeover via Malicious Emails
A newly disclosed vulnerability in FreeScout, an open-source help desk platform, allows attackers to seize control of vulnerable servers by sending a crafted email to a FreeScout mailbox. Tracked as CVE-2026-28289, the flaw is a bypass of a previous patch (CVE-2026-27636) and affects self-hosted instances running on Apache servers with AllowOverride All enabled a common configuration.
The vulnerability stems from inadequate file upload restrictions, specifically the exclusion of .htaccess and .user.ini files from the platform’s blocklist. Attackers can exploit this by prepending a Zero-Width Space (U+200B) character to a malicious filename, evading validation checks. Once uploaded, the file such as a malicious .htaccess configuration can redefine server behavior, enabling remote code execution (RCE).
Exploitation requires no authentication or user interaction; attackers simply email a payload containing a malicious .htaccess file and a webshell to a FreeScout mailbox. The predictable file storage location allows attackers to access and execute commands via the server’s web interface, leading to full system compromise, data exfiltration (including helpdesk tickets and mailbox content), and potential lateral movement within the network.
Researchers at OX Security identified roughly 1,100 publicly exposed FreeScout instances via Shodan, though the exact number of vulnerable deployments remains unclear. Affected organizations span public health institutions, financial services, technology providers, and news organizations, with researchers withholding specific details to prevent targeted attacks.
FreeScout v1.8.207 patches the vulnerability, and users are advised to upgrade immediately. Additionally, disabling AllowOverride All in Apache’s configuration mitigates the risk. The flaw underscores the ongoing risks of self-hosted, open-source platforms with insufficient input validation.
Source: https://www.helpnetsecurity.com/2026/03/05/freescout-vulnerability-cve-2026-28289/
Cyber News Centre (CNC) cybersecurity rating report: https://www.rankiteo.com/company/cyber-news-centre-cnc
"id": "CYB1772713930",
"linkid": "cyber-news-centre-cnc",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Public Health',
'Financial Services',
'Technology',
'Media'],
'type': 'Public health institutions, financial '
'services, technology providers, news '
'organizations'}],
'attack_vector': 'Malicious email with crafted file attachment',
'data_breach': {'data_exfiltration': 'Potential data exfiltration',
'personally_identifiable_information': 'Likely (helpdesk '
'tickets, mailbox '
'content)',
'sensitivity_of_data': 'High (personally identifiable '
'information, internal communications)',
'type_of_data_compromised': 'Helpdesk tickets, mailbox '
'content, sensitive data'},
'description': 'A newly disclosed vulnerability in FreeScout, an open-source '
'help desk platform, allows attackers to seize control of '
'vulnerable servers by sending a crafted email to a FreeScout '
'mailbox. The flaw (CVE-2026-28289) is a bypass of a previous '
'patch (CVE-2026-27636) and affects self-hosted instances '
'running on Apache servers with AllowOverride All enabled. '
'Attackers can exploit inadequate file upload restrictions by '
'prepending a Zero-Width Space (U+200B) character to a '
'malicious filename, enabling remote code execution (RCE) and '
'full system compromise.',
'impact': {'data_compromised': 'Helpdesk tickets, mailbox content, and other '
'sensitive data',
'operational_impact': 'Full system compromise, potential lateral '
'movement within the network',
'systems_affected': 'Self-hosted FreeScout instances on Apache '
'servers with AllowOverride All enabled'},
'lessons_learned': 'Ongoing risks of self-hosted, open-source platforms with '
'insufficient input validation; importance of robust file '
'upload restrictions and configuration hardening.',
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, '
'disable AllowOverride All, '
'improve input validation '
'for file uploads',
'root_causes': 'Inadequate file upload '
'restrictions, bypass of blocklist '
'via Zero-Width Space character, '
'misconfiguration (AllowOverride '
'All enabled)'},
'recommendations': 'Immediately upgrade to FreeScout v1.8.207, disable '
'AllowOverride All in Apache configuration, and audit '
'self-hosted instances for vulnerabilities.',
'references': [{'source': 'OX Security Research'}],
'response': {'containment_measures': 'Upgrade to FreeScout v1.8.207, disable '
'AllowOverride All in Apache '
'configuration',
'remediation_measures': 'Patch vulnerability (FreeScout '
'v1.8.207)'},
'title': 'Critical FreeScout Vulnerability (CVE-2026-28289) Enables Remote '
'Server Takeover via Malicious Emails',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-28289 (bypass of CVE-2026-27636)'}