FreeScout Vulnerability CVE-2026-28289: Zero-Click RCE Exploit
A critical vulnerability in the open-source help desk platform FreeScout (CVE-2026-28289) allows attackers to execute remote code without authentication or user interaction. This flaw, discovered by OX Security researchers, exploits a bypass in a previously patched vulnerability (CVE-2026-27636), enabling unauthenticated users to take control of vulnerable servers via a malicious email.
How the FreeScout Vulnerability Works
FreeScout, built on PHP and MySQL, is designed for self-hosting on Apache servers. The vulnerability stems from a flaw in how the platform handles file uploads. Attackers can exploit this by sending an email containing a malicious .htaccess file and a webshell to a configured FreeScout mailbox.
Key Exploitation Steps
- Zero-Width Space Bypass: Attackers prepend a Unicode zero-width space (U+200B) to filenames, tricking the system into accepting restricted files like .htaccess.
- Remote Code Execution (RCE): The malicious file is saved to a predictable location, allowing attackers to access it via the web GUI and execute arbitrary commands.
- No Authentication Required: The exploit requires no user interaction, making it particularly dangerous for exposed instances.
Impact and Risk
Shodan scans reveal approximately 1,100 publicly accessible FreeScout instances. While not all are vulnerable, affected systems risk:
- Data exfiltration (helpdesk tickets, emails)
- Network lateral movement
- Full server compromise
Researchers confirmed vulnerable deployments in healthcare, finance, and tech sectors. Specific details are withheld to protect affected organizations.
How to Mitigate the FreeScout Vulnerability
Immediate action is critical:
- Upgrade to v1.8.207: The latest version patches the exploit chain.
- Disable AllowOverrideAll: Modify Apache configurations to restrict .htaccess overrides.
- Restrict File Uploads: Implement strict validation for uploaded files.
Why This Vulnerability Matters
The exploit highlights the risks of self-hosted platforms when default configurations are not hardened. Apache’s AllowOverrideAll setting, common in many deployments, becomes a security liability when combined with lax file validation.
Stay Informed
Subscribe to our cybersecurity alerts to stay ahead of emerging threats like CVE-2026-28289. Proactive patching and configuration reviews are essential for protecting open-source systems.
FAQs
What is the FreeScout vulnerability CVE-2026-28289?
A zero-click RCE flaw in FreeScout’s email handling that allows unauthenticated attackers to execute code via malicious .htaccess files.
How does the CVE-2026-28289 exploit bypass previous patches?
By using a Unicode zero-width space to trick validation checks into accepting restricted filenames.
Can this vulnerability affect non-Apache servers?
No—this exploit specifically targets Apache configurations with AllowOverrideAll enabled.
What should I do if I’m using FreeScout?
Upgrade to v1.8.207 immediately and disable AllowOverrideAll in your Apache settings.
How many FreeScout instances are vulnerable?
Shodan identifies ~1,100 public instances, though exact vulnerability counts remain unconfirmed.








