Critical FreeScout Flaw: Zero-Click RCE via Email (CVE-2026-28289)

A critical security flaw in the popular open-source help desk software FreeScout enables remote attackers to execute code and seize control of servers simply by sending a malicious email. Tracked as CVE-2026-28289, this vulnerability is a bypass of a previous patch and poses a severe risk to unpatched systems, particularly those running on Apache web servers. Organizations using the platform for customer support must take immediate action to secure their deployments.

FreeScout is a widely used, self-hosted help desk solution built with PHP and MySQL. It allows teams to consolidate customer conversations from various channels into a single, manageable inbox. The newly discovered weakness stems from an inadequate fix for an earlier issue, CVE-2026-27636. That initial vulnerability existed because the platform’s list of restricted file uploads failed to include dangerous configuration files like .htaccess and .user.ini.

On Apache servers configured with `AllowOverride All`, a common setting, an attacker who uploads a `.htaccess` file can redefine how the server processes files in that directory. This capability opens the door directly to remote code execution. The patch for the original flaw attempted to block such uploads by appending an underscore to the filename if it used a restricted extension or began with a period.

However, security researchers found a clever way to circumvent this protection. They discovered that by prepending a Zero-Width Space character (Unicode U+200B) to the filename, they could trick the validation check. The system does not treat this invisible character as visible content during the initial scan, allowing the malicious filename to pass through. Later in the processing chain, the zero-width space is stripped away, resulting in the file being saved as a true dotfile (like `.htaccess`) on the server’s disk.

What makes this flaw exceptionally dangerous is the method of remote exploitation. Attackers do not need any authentication or user interaction. They can trigger the vulnerability simply by sending a specially crafted email containing the malicious `.htaccess` file and a webshell payload to a mailbox monitored by the FreeScout instance. The email processing functionality automatically writes the payload to a predictable location on the server. Once saved, the attacker can then access this location via the web interface to execute arbitrary system commands, effectively taking over the server.

Current scans indicate roughly 1,100 FreeScout instances are publicly exposed on the internet. The full scope of affected systems is unknown, but vulnerable deployments face the threat of complete system compromise. Attackers could exfiltrate sensitive data from helpdesk tickets and mailboxes, and potentially use the compromised server as a foothold to launch further attacks within the same network. Researchers have observed exposed instances across several critical sectors, including healthcare, finance, technology, and media.

To protect against this threat, administrators must urgently upgrade their FreeScout installation to version 1.8.207 or later, which contains the necessary fix. For those running the software on an Apache server, an additional critical hardening step is to disable the `AllowOverride All` directive in the Apache configuration for the FreeScout directory, significantly reducing the attack surface. Staying informed about such vulnerabilities is crucial for maintaining organizational security in an increasingly targeted digital environment.

(Source: HelpNet Security)