FreeScout, a popular open-source helpdesk platform, is vulnerable to a maximum severity zero-click remote code execution (RCE) flaw tracked as CVE-2026-28289. This vulnerability allows unauthenticated attackers to hijack mail servers by simply sending a crafted email. The flaw acts as a patch bypass for a previous RCE vulnerability (CVE-2026-27636) and leverages the processing of email attachments to execute malicious code.
Researchers at OX Security discovered that using a zero-width space (Unicode U+200B) allows attackers to bypass filename validation checks. By prefixing a restricted filename like .htaccess with this character, the system fails to recognize the extension during the initial check but later strips the character, saving the malicious file to the server. This enables attackers to access the payload via the web interface and take full control of the host.
Organizations using FreeScout are urged to update to version 1.8.207 immediately to mitigate this risk. In addition to patching, security experts recommend disabling the 'AllowOverrideAll' directive in Apache configurations to prevent the execution of uploaded .htaccess files. While no active exploitation has been reported yet, the ease of exploitation makes it a high-priority threat for the over 1,100 publicly exposed instances.
Top comments (0)