FreeScout disclosed a maximum-severity remote code execution vulnerability, CVE-2026-28289, that enables a zero-click compromise of FreeScout mail servers by sending a single crafted email with a malicious attachment to any mailbox configured in the platform. The issue is a patch bypass of an earlier RCE, CVE-2026-27636, where filename validation intended to block dangerous uploads can be evaded by prefixing the filename with a zero-width space (U+200B), allowing the attachment to be stored and later processed in a way that results in code execution (e.g., via a malicious .htaccess).
Technical details indicate the weakness resides in sanitizeUploadedFileName() (app/Http/Helper.php) and is characterized as a TOCTOU logic flaw: the dot-prefix/extension checks occur before sanitization removes invisible characters, enabling restricted filenames to pass validation and later be interpreted as dotfiles after normalization. The attachment is stored under /storage/attachment/... and can be reached through the web interface, enabling unauthenticated exploitation in the email-delivery scenario; the vendor fix is available in FreeScout 1.8.207, and the vulnerability is scored CVSS v3.1 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) with CWE-434 (unrestricted upload).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
A Rapid7 Metasploit Framework pull request was opened to add a FreeScout zero-width-space .htaccess RCE module for CVE-2026-28289. This indicated public exploit tooling development for the vulnerability.
OX Security reported that the patch bypass could be exploited as an unauthenticated, zero-click RCE by sending a crafted email with a malicious attachment to a FreeScout-connected mailbox. The researchers said the attachment could be written to a predictable web-accessible location, enabling server compromise without user interaction.
CVE-2026-28289 was published describing a vulnerability affecting FreeScout 1.8.206 and earlier, where a zero-width space character could bypass filename security checks and lead to remote code execution. The advisory linked the issue to unrestricted dangerous file upload behavior and identified 1.8.207 as the fixed version.
FreeScout patched a bypass of its earlier upload protections in version 1.8.207. The fix addressed a TOCTOU issue in filename sanitization that let attackers use a zero-width space prefix to smuggle dangerous filenames such as .htaccess.
An earlier FreeScout vulnerability, CVE-2026-27636, allowed authenticated remote code execution by abusing draft-email attachment uploads to overwrite .htaccess and execute attacker-controlled PHP. FreeScout issued an initial patch intended to block dangerous extensions and dotfiles, but that fix was later found to be incomplete.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcegithub.com
Open sourcebleepingcomputer.com
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.