Mail2Shell: Zero‑Click RCE in FreeScout Helpdesk

March 5, 2026 Faeem BLOGS 0

Researchers have disclosed a maximum‑severity vulnerability in the FreeScout helpdesk platform that allows attackers to hijack mail servers with zero‑click remote code execution (RCE). Tracked as CVE‑2026‑28289, the flaw bypasses a previous patch and highlights the risks of subtle input validation gaps in widely used open‑source software.

The Vulnerability

  • Component: FreeScout (open‑source helpdesk and shared mailbox platform).
  • Type: Command injection via crafted email attachment.
  • Impact: Full server compromise, data breaches, lateral movement, and service disruption.
  • Severity: Maximum — unauthenticated, zero‑click exploitation.
  • Versions affected: Up to and including 1.8.206.
  • Patched: Version 1.8.207 (released four days ago).

Exploitation Chain

  1. Crafted email: Attacker sends a malicious attachment to any FreeScout‑configured mailbox.
  2. Validation bypass: A zero‑width space (Unicode U+200B) is inserted before the filename, tricking the upload filter.
  3. Dotfile creation: Subsequent processing strips the invisible character, saving the file as a dotfile.
  4. Payload execution: The malicious file is stored in /storage/attachment/… and accessed via the web interface, enabling arbitrary command execution.

Why It Matters

  • Zero‑click: No user interaction required — exploitation occurs simply by receiving the crafted email.
  • Patch bypass: CVE‑2026‑28289 circumvents the fix for CVE‑2026‑27636, showing how attackers chain subtle bypasses.
  • Exposure: Shodan scans reveal ~1,100 publicly accessible FreeScout instances.
  • Enterprise risk: FreeScout is a self‑hosted alternative to Zendesk or Help Scout, widely adopted for customer support.

Defensive Recommendations

  • Patch immediately: Upgrade to FreeScout 1.8.207.
  • Apache hardening: Disable AllowOverrideAll to reduce exploitation risk.
  • Attachment monitoring: Inspect for dotfiles and anomalous uploads.
  • Threat hunting: Check /storage/attachment/ for suspicious files.
  • Segmentation: Isolate helpdesk servers from critical internal networks.

Final Thought

Mail2Shell demonstrates how invisible characters can weaponize input validation gaps. For leaders, the lesson is clear: open‑source platforms must be treated as critical infrastructure, with rapid patch adoption and layered defenses against creative bypass techniques.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.