FreeScout zero-click RCE (CVE-2026-28289)
Vulnerability
Summary
Hide ▲
Show ▼
A newly disclosed CVE-2026-28289 in FreeScout enables zero-click remote code execution, putting affected helpdesk servers at risk of full compromise. The flaw bypasses a prior upload fix by abusing a zero-width space (U+200B) to evade filename validation and save a malicious payload as a dotfile. It affects all FreeScout versions up to 1.8.206, and 1.8.207 is patched. The vendor says successful exploitation could lead to data breaches, lateral movement, and service disruption.
Related Happenings
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation Wave
First: 27.02.2026 19:59
Last: 27.02.2026 19:59
Sources 1
About this happening:
More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
Sangoma FreePBX web shell exploitation wave (CVE-2025-64328)
Exploitation WaveAbout this happening: More than **900 Sangoma FreePBX** instances remain **web-shell infected** after an **ongoing exploitation wave** tied to **CVE-2025-64328**. The affected systems span the **U.S.**...
CISA KEV mitigation for BeyondTrust CVE-2026-1731
Advisory/Mitigation
First: 20.02.2026 19:02
Last: 20.02.2026 19:02
Sources 1
About this happening:
CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply th...
CISA KEV mitigation for BeyondTrust CVE-2026-1731
Advisory/MitigationAbout this happening: CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply th...
CISA updates KEV entry for CVE-2026-1731
Public Sector Action
First: 20.02.2026 17:45
Last: 20.02.2026 17:45
Sources 1
About this happening:
**CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA updates KEV entry for CVE-2026-1731
Public Sector ActionAbout this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
Timeline
-
05.03.2026 13:00 2 articles · 2mo ago
FreeScout zero-click RCE disclosure and remediation
Initial DisclosureOx Security disclosed CVE-2026-28289 (Mail2Shell) in FreeScout as a maximum-severity zero-click RCE that bypasses CVE-2026-27636, allowing a single crafted email sent to any configured FreeScout address to execute code on the server without authentication or user interaction. The vendor warned that full server takeover could expose helpdesk tickets and mailboxes and enable lateral movement, and it urged customers to upgrade to v1.8.207 or later and disable AllowOverrideAll in Apache.
Show sources
- Zero-Click FreeScout Bug Enables Remote Code Execution — www.infosecurity-magazine.com — 05.03.2026 13:00
- Zero-Click FreeScout Bug Enables Remote Code Execution — www.infosecurity-magazine.com — 05.03.2026 13:00
-
04.03.2026 23:51 1 articles · 2mo ago
FreeScout 1.8.207 patch release
Mitigation Patch UpdateFreeScout 1.8.207 was released four days before 2026-03-04 as the fix for CVE-2026-28289, the FreeScout patch bypass vulnerability affecting version 1.8.206 and earlier. The update was intended to block dangerous file uploads that could be used to reach remote code execution through malicious attachments and dotfile-style payloads.
Show sources
- Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers — www.bleepingcomputer.com — 04.03.2026 23:51
-
04.03.2026 23:51 1 articles · 2mo ago
OX Security discloses CVE-2026-28289 in FreeScout
Initial DisclosureOX Security disclosed CVE-2026-28289 in FreeScout, describing a maximum-severity zero-click RCE that can be triggered by a single crafted email or a malicious attachment sent to a configured mailbox. The flaw bypasses the prior CVE-2026-27636 fix by placing a zero-width space (Unicode U+200B) before a filename, then relying on subsequent processing to strip the character and save the payload as a dotfile such as a malicious .htaccess file. The vendor warned that successful exploitation may lead to full server compromise, data breaches, lateral movement into internal networks, and service disruption, and OX Research recommended disabling AllowOverrideAll in the Apache configuration even on 1.8.207.
Show sources
- Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers — www.bleepingcomputer.com — 04.03.2026 23:51