{"id":4719,"date":"2026-03-05T12:39:10","date_gmt":"2026-03-05T12:39:10","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/03\/05\/zero-click-freescout-bug-enables-remote-code-execution\/"},"modified":"2026-03-05T12:39:10","modified_gmt":"2026-03-05T12:39:10","slug":"zero-click-freescout-bug-enables-remote-code-execution","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/05\/zero-click-freescout-bug-enables-remote-code-execution\/","title":{"rendered":"Zero-Click FreeScout Bug Enables Remote Code Execution"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Security researchers have urged FreeScout customers to patch a maximum-severity remote code execution (RCE) vulnerability which needs no user interaction to achieve full system compromise.<\/p>\n<p>CVE\u20112026\u201128289 (Mail2Shell) is actually a bypass for an earlier vulnerability (CVE-2026-27636) in the open source helpdesk platform, which could enable authenticated attackers to hijack targeted systems, according to Ox Security.<\/p>\n<p>\u201cWe discovered a patch bypass that allowed us to reproduce the same RCE on newly updated servers, demonstrating how quickly incomplete fixes can be circumvented,\u201d the security vendor explained in a blog post.<\/p>\n<p>\u201cDuring our deeper analysis, we escalated the attack chain further \u2013 converting it into a zero\u2011click RCE. By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without user interaction.\u201d<\/p>\n<p><em>Read more on CVSS 10.0 vulnerabilities: New Zero-Click Flaw in Claude Desktop Extensions, Anthropic Declines Fix.<\/em><\/p>\n<p>Ox Security claimed that thousands of customers may be at risk. It said FreeScout has over 4000 GitHub stars and around 1100 publicly exposed instances identified via Shodan. The PHP-based Laravel framework on which FreeScout is based is even more widely adopted, with over 83,000 GitHub stars and around 13,000 publicly exposed servers, it added.<\/p>\n<h2><strong>Impact and Next Steps<\/strong><\/h2>\n<p>With full server\/system takeover, attackers could steal data from helpdesk tickets, mailboxes and other data stored in FreeScout, the security vendor warned. They could also move laterally from FreeScout to other systems on the network.<\/p>\n<p>Ox Security urged FreeScout customers to upgrade immediately to v1.8.207 or later, and to always disable AllowOverrideAll in the Apache configuration on the FreeScout server \u2013 even when on the latest version.<\/p>\n<p>The problems associated with faulty or incomplete patches are well documented.<\/p>\n<p>Back in 2021, Google\u2019s Project Zero complained that as many as a quarter of zero-day exploits discovered the year before could have been avoided if vendors had taken a more methodical and comprehensive approach to patching.<\/p>\n<p>Its decision to move to a full 90-day disclosure policy was designed to ensure vendors have more time to perform root cause and variant analysis.<\/p>\n<p>In 2022, Trend Micro\u2019s Zero Day Initiative (ZDI)\u00a0also complained about poor patch quality across industry, warning that it could be costing customers upwards of $400,000 per faulty update.<\/p>\n<p>It noted both a decline in the quality of patches and vendor communication with customers.<\/p>\n<p>Ox Security said that threat actors \u201croutinely diff patches, probe fixes, and search for variant exploitation paths within hours of disclosure\u201d in order to look for new attack paths. Even mature open source projects and well-resourced vendors have been found wanting in the past.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have urged FreeScout customers to patch a maximum-severity remote code execution (RCE) vulnerability which needs no user interaction to achieve full system compromise. CVE\u20112026\u201128289 (Mail2Shell) is actually a bypass for an earlier vulnerability (CVE-2026-27636) in the open source helpdesk platform, which could enable authenticated attackers to hijack targeted systems, according to Ox Security.<\/p>\n","protected":false},"author":2,"featured_media":4720,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4719","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4719-75128060-e5ba-4b6e-a890-d2ac9b7eacb0-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4719"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4719\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4720"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}