Introduction
Recently, researchers from OX Research disclosed a critical vulnerability affecting the open-source help desk platform FreeScout. The issue escalates a previously patched authenticated remote code execution vulnerability into a "Zero-Click Unauthenticated Remote Code Execution".
Tracked as CVE-2026–28289, this vulnerability allows attackers to execute arbitrary commands on the server simply by sending a specially crafted email.
No authentication, no user interaction.
The vulnerability affects FreeScout versions up to 1.8.206 and was patched in 1.8.207.
This research highlights an important lesson in vulnerability remediation:
A patch release does not always eliminate risk. Attackers routinely analyze patches and search for bypasses within hours of disclosure.
Understanding FreeScout Architecture
FreeScout is a self-hosted help desk platform built on Laravel. Organizations use it to manage support tickets and shared mailboxes.
Typical deployment architecture:
Internet
↓
Mail Server (IMAP/POP3)
↓
FreeScout Mail Fetcher
↓
Attachment Processing
↓
Stored in /storage/attachments/
↓
Accessible via Web InterfaceFreeScout periodically polls configured mailboxes and automatically imports incoming emails and attachments. This automatic processing becomes the core attack surface.
Original Vulnerability (Older — Authenticated RCE)
Earlier research revealed an authenticated remote code execution vulnerability where attackers could upload malicious files through attachment functionality.
Attack chain:
Authenticated User
↓
Upload malicious attachment
↓
File stored on server
↓
File executed by web server
↓
Remote Code ExecutionThe FreeScout maintainers released a patch attempting to prevent dangerous file uploads by validating file names and extensions. and followed the following approach.
The Security Patch
The patch introduced a validation mechanism in the file processing helper.
Example validation logic:
$ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION));
if (preg_match('/('.implode('|', self::$restricted_extensions).')/', $ext)) {
$file_name = $file_name.'_';
}This logic attempted to block dangerous file extensions such as: php, phtml, phar.
If detected, the system modifies the filename: shell.php -> shell.php_
This prevents direct execution.
The patch also attempted to block dotfiles.
Example:
.htaccess
.user.iniThese files are dangerous because they can alter the server configuration.
Why .htaccess Files Are Dangerous!
The Apache web server uses .htaccess files to apply directory-specific configuration. Attackers can abuse this by defining new file execution rules.
Example malicious rule:
AddType application/x-httpd-php .txtThis instructs Apache to execute .txt files as PHP scripts.
This means: "webshell.txt" can become executable PHP code.
The Patch Bypass
While reviewing the patch, OX Research discovered a validation bypass using a Unicode character.
The bypass uses a Zero-Width Space character:
Unicode U+200BThis character is invisible when rendered.
Example malicious filename:
[U+200B].htaccessVisually, it appears as:
.htaccessBut internally it is:
\u200b.htaccessWhy the Validation Fails
The patch checks if a filename starts with a period using:
mb_substr($file_name, 0, 1) == '.'However, the first character in the malicious filename is:
U+200BTherefore, the validation sees:
filename starts with Unicode characterinstead of:
filename starts with "."The validation check passes.
Character Removal Later in the Pipeline
Later in the processing logic, the system removes Unicode formatting characters.
Example sanitization logic:
$file_name = preg_replace("#\p{Cf}+#u", '', $file_name);This removes characters like:
U+200BSo the filename changes from:
\u200b.htaccessto:
.htaccessThis results in a real dotfile being written to disk, bypassing the validation logic entirely.
Escalating to Unauthenticated RCE
Once the bypass was confirmed, researchers realized the attack chain could be escalated.
Because FreeScout automatically processes incoming emails, attackers can send attachments directly to the system.
Attack flow:
Attacker
↓
Send crafted email
↓
Mail server receives message
↓
FreeScout polls mailbox
↓
Attachments downloaded
↓
Files saved to diskNo authentication is required, No user interaction is required.
Exploit Workflow
The attack uses two files:
.htaccess
webshell.txtStep 1 — Upload malicious .htaccess
The attacker sends an email attachment containing a malicious .htaccess file.
Example configuration:
AddType application/x-httpd-php .txtThis forces Apache to execute .txt files as PHP.
Step 2 — Upload web shell
A second attachment contains a small PHP script saved as a .txt file.
Example simplified shell:
PHP script capable of executing system commandsWhen accessed through the browser, the script executes commands on the server.
File Storage Location
FreeScout stores attachments in:
/storage/attachments/Example path:
/storage/attachments/2026/05/webshell.txtBecause the .htaccess file modifies execution rules, accessing this file can trigger PHP execution.
Command Execution
Once the shell is reachable via HTTP, attackers can execute commands remotely.
Typical attacker workflow:
1. Access web shell
2. Run reconnaissance commands
3. Extract credentials
4. Pivot to other systemsCommon attacker objectives include:
- Reading Laravel
.envconfiguration - Extracting database credentials
- Dumping helpdesk ticket data
- Uploading persistent backdoors
Why This Attack Is Dangerous
The vulnerability requires:
No login
No phishing
No user actionAttack chain:
Send email
↓
Server processes attachment
↓
Payload written to disk
↓
Attacker accesses payload
↓
Remote Code Execution This qualifies as Zero-Click exploitation.
Potential Impact
If exploited successfully, attackers can achieve:
Full server compromise
Remote command execution on the FreeScout host.
Sensitive data exposure
FreeScout systems often contain:
- Customer support tickets
- Internal communications
- Password reset emails
- Attachments and sensitive files
Lateral movement
Compromised servers can be used to access:
- Internal databases
- Cloud credentials
- Additional systems on the network
Recommended Mitigations
Organizations should immediately upgrade to FreeScout 1.8.207 or later.
Additional defensive measures include:
Disable .htaccess overrides
Apache configuration:
AllowOverride NonePrevent script execution in upload directories
Upload directories should not allow PHP execution.
Example configuration:
php_admin_flag engine offStore attachments outside the web root
Instead of:
/var/www/html/storageUse:
/var/data/uploadsMonitor suspicious files
Security teams should monitor for unexpected files such as:
.htaccess
*.php
*.phtmlinside attachment directories.
Lessons Learned
This vulnerability demonstrates a recurring issue in vulnerability remediation:
Patch
↓
Researchers diff the code
↓
Variant discovered
↓
Patch bypassAttackers frequently analyze patches immediately after release.
Incomplete validation logic or incorrect sanitization order can lead to bypasses.
Conclusion
The discovery of CVE-2026–28289 highlights how quickly vulnerabilities can evolve after an initial disclosure.
A vulnerability that originally required authentication was escalated to a Zero-Click, Unauthenticated Remote Code Execution, dramatically increasing the attack surface.
Organizations running FreeScout should update immediately and apply additional security hardening to protect their environments.
Security teams must also recognize that patching alone is not always sufficient; understanding the underlying vulnerability mechanics is essential to preventing future exploitation.