A critical unauthenticated vulnerability in the FreeScout helpdesk platform enables attackers to achieve remote code execution simply by sending a malicious email. Tracked as CVE-2026-28289, this flaw bypasses a previous patch for another remote code execution issue that required authenticated users with upload permissions. Researchers discovered that a zero-width space character placed before a filename could circumvent newly implemented validation mechanisms designed to block dangerous file uploads.
When an email containing a malicious attachment reaches any mailbox configured in FreeScout, the system stores the file and subsequent processing removes the invisible character, allowing the payload to be saved as a dotfile. This enables attackers to access the uploaded content through the web interface and execute commands on the server without any authentication or user interaction, making it a true zero-click vulnerability. FreeScout serves as a self-hosted open-source alternative to platforms like Zendesk, with approximately 1,100 publicly exposed instances identified through Shodan scans.
All versions up to and including 1.8.206 are affected, with the patch released in version 1.8.207 just days ago. Successful exploitation could lead to complete server compromise, data breaches, lateral movement into internal networks, and service disruption. Security researchers recommend immediate patching and additionally suggest disabling AllowOverrideAll in the Apache configuration even after updating. While no active exploitation has been observed yet, the severity and accessibility of this flaw suggest a high likelihood of imminent malicious activity targeting exposed FreeScout instances.
Read more...