A critical vulnerability in the open-source help desk and shared mailbox solution, FreeScout, can be exploited for zero-click remote code execution (RCE) attacks, warns Ox Security.
This vulnerability, identified as CVE-2026-28289, carries a maximum CVSS score of 10 out of 10. It is a patch bypass for CVE-2026-27636, a high-severity authenticated RCE bug that was recently fixed.
The original issue stemmed from a missing .htaccess in the file upload restriction list. This could allow an authenticated attacker to upload a .htaccess file, leading to file processing tampering and potential RCE.
Ox Security discovered that the patch for the initial CVE can be bypassed using a zero-width space character. This character is invisible and passes the dot-check, resulting in a valid .htaccess filename being saved to disk.
According to FreeScout maintainers, CVE-2026-28289 is a Time-of-Check to Time-of-Use (TOCTOU) issue within the filename sanitization function. The dot-prefix check occurs before sanitization removes invisible characters.
The fix for CVE-2026-27636 aimed to block filenames with restricted file extensions or those that begin with a period by appending an underscore to the file extension. However, an attacker can bypass this by prepending a zero-width space character (Unicode U+200B) to the filename. Since this character is not treated as visible content, the filename bypasses validation, the U+200B character is stripped, and the file is saved as a true dotfile.
Ox Security explains that the attack involves sending a malicious email from any address to a mailbox configured in FreeScout. This attack requires no authentication and no user interaction. The malicious payload is written to disk on the FreeScout server and can then be used to execute commands remotely.
The cybersecurity firm notes that attackers can predict where the file will be saved on the disk, enabling them to access the payload and execute commands on the server.
Successful exploitation of this new vulnerability could allow attackers to take full control of vulnerable servers, extract helpdesk tickets, mailbox content, and other sensitive data from FreeScout, and potentially spread to other systems on the network.
FreeScout maintainers explain that all FreeScout 1.8.206 installations are affected when running on Apache with AllowOverride All enabled, a common configuration.
CVE-2026-28289 was resolved in FreeScout version 1.8.207. Users are advised to update their deployments as soon as possible.
