Full Report
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication. [...]
Analysis Summary
# Vulnerability: FreeScout "Mail2Shell" Zero-Click Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-28289
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type) / Patch Bypass
## Affected Systems
- **Products:** FreeScout (Open-source help desk and shared mailbox platform)
- **Versions:** All versions up to and including **1.8.206**
- **Configurations:** Systems configured to receive emails via external mailboxes or those with authenticated users having file upload permissions.
## Vulnerability Description
This vulnerability is a patch bypass for CVE-2026-27636. The original fix attempted to block malicious file uploads (specifically `.htaccess` files) by modifying filenames that started with a dot or restricted extensions.
Researchers discovered that by prefixing a filename with a **Zero-Width Space (Unicode U+200B)**, the validation mechanism is bypassed because the character is non-visible. During subsequent processing, the system strips this character, allowing the file to be saved as a functional `.htaccess` file in the `/storage/attachment/` directory. By uploading a malicious `.htaccess` file, an attacker can reconfigure the web server directory to execute arbitrary code (e.g., PHP shells).
## Exploitation
- **Status:** PoC availability confirmed by researchers; no active exploitation in the wild reported yet.
- **Complexity:** Low
- **Attack Vector:** Network (Zero-click via email attachment)
## Impact
- **Confidentiality:** High (Full server compromise and data breach)
- **Integrity:** High (Ability to modify files and system configurations)
- **Availability:** High (Potential for service disruption and lateral movement)
## Remediation
### Patches
- **Update to FreeScout version 1.8.207 or later.** This version addresses the zero-width space bypass.
### Workarounds
- **Apache Configuration:** Disable `AllowOverride All` in the Apache configuration for the FreeScout server. Setting it to `AllowOverride None` for the storage directories prevents `.htaccess` files from being processed, even if successfully uploaded.
## Detection
- **Indicators of Compromise:**
- Presence of files in the `/storage/attachment/` directory starting with a dot (e.g., `.htaccess`).
- Audit logs showing the upload of files containing the Unicode character `U+200B`.
- **Detection methods and tools:**
- Scan web server directories for unauthorized `.htaccess` files.
- Monitor for unexpected PHP execution within the attachments directory.
## References
- Vendor Advisory: [hxxps://github[.]com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp]
- Researcher Blog: [hxxps://www[.]ox[.]security/blog/freescout-rce-cve-2026-28289/]
- NVD: [hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-28289]