A newly discovered critical vulnerability in FreeScout, an open-source help desk software, poses a significant threat by facilitating zero-click remote code execution (RCE) attacks, according to cybersecurity firm Ox Security. The flaw, identified as CVE-2026-28289, carries a maximum CVSS score of 10, indicating its severity and potential impact on systems.
Understanding the Vulnerability
This vulnerability is a patch bypass for a previous security issue, CVE-2026-27636, which was a high-severity authenticated RCE flaw. The original issue stemmed from a missing .htaccess file in the upload restrictions, which allowed authenticated users to upload files that could manipulate server processing and execute arbitrary code.
The latest vulnerability, CVE-2026-28289, is characterized as a Time-of-Check to Time-of-Use (TOCTOU) flaw within the filename sanitization process. The issue arises because the system checks for dot-prefixed filenames before removing invisible characters, enabling attackers to bypass the patch.
Exploiting the Security Flaw
To exploit this vulnerability, attackers use a zero-width space character (Unicode U+200B) to bypass filename validation. This character, being invisible, allows a filename to slip past checks and be saved on the server as a legitimate .htaccess file. This method enables the execution of remote commands without any user interaction or authentication.
The attack involves sending a crafted email to a FreeScout-configured mailbox. The payload included in the email is automatically saved to the server, enabling attackers to predict its location, access it, and execute remote commands, thereby gaining full control over the server.
Mitigating the Risk
The potential consequences of this vulnerability are severe, as successful exploitation could lead to complete server compromise. Attackers could exfiltrate sensitive data, such as helpdesk tickets and mailbox contents, and potentially move laterally across the network. This issue affects all FreeScout installations running version 1.8.206 on Apache servers with AllowOverride All enabled.
To address this critical security risk, FreeScout has released version 1.8.207, which resolves the vulnerability. Users are strongly advised to update their installations immediately to secure their systems against potential exploits.
Keeping software updated is crucial in maintaining cybersecurity defenses, and this incident underscores the importance of timely patch management to protect sensitive information and infrastructure.
