"The attack works by sending a malicious email from any address to a mailbox configured in FreeScout. Importantly, this requires no authentication and no user interaction. The malicious payload is written to disk on the FreeScout server and can then be leveraged to execute commands remotely."
"To bypass the patch, an attacker prepends a zero-width space character (Unicode U+200B) to the filename. Because the character is not treated as visible content, the filename bypasses validation, the U+200B character is stripped, and the file is saved as a true dotfile."
"CVE-2026-28289 is a Time-of-Check to Time-of-Use (TOCTOU) issue in the filename sanitization function, where the dot-prefix check occurs before sanitization removes invisible characters."
CVE-2026-28289 is a critical vulnerability in FreeScout that bypasses the patch for CVE-2026-27636. The original vulnerability allowed authenticated attackers to upload .htaccess files for RCE. The patch attempted to block restricted extensions and dot-prefixed filenames by appending underscores. However, attackers can prepend invisible zero-width space characters (Unicode U+200B) to filenames, bypassing validation checks. After the character is stripped during processing, the file saves as a valid dotfile. Attackers exploit this by sending malicious emails to FreeScout mailboxes without authentication or user interaction, writing payloads to predictable disk locations for command execution.
#remote-code-execution #patch-bypass #freescout-vulnerability #zero-width-space-exploitation #toctou-vulnerability
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]