~/home/news/zero-click-rce-freescout-cve-2026-03-05
newsThursday, March 5, 20268 min read👁 8 views

Zero-click RCE in FreeScout: CVE-2026-28289 Lets Attackers Take Over Servers

A newly disclosed TOCTOU flaw (CVE-2026-28289) lets attackers upload a .htaccess file prefixed with a zero-width space, bypassing validation and achieving zero-click remote code execution on any self-hosted FreeScout instance.

FreeScoutCVE-2026-28289Remote Code ExecutionZero-clickTOCTOU

Overview

FreeScout, the open-source help-desk and shared mailbox solution, has long been praised for its lightweight footprint and ease of self-hosting. On March 4, 2026, security firm Ox Security reported a critical, zero-click remote code execution (RCE) vulnerability that affects every FreeScout installation running on Apache with AllowOverride All. The flaw, cataloged as CVE-2026-28289, earns a perfect CVSS v3.1 score of 10.0 and supersedes a previously patched issue (CVE-2026-27636). In short, an attacker can upload a malicious .htaccess file that is silently renamed after sanitization, granting full server compromise without authentication or user interaction.

Technical Details

CVE Identifier and Scoring

  • CVE-2026-28289 - Critical
  • CVSS v3.1 Base Score: 10.0 (Critical)
  • Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None

Root Cause: TOCTOU in Filename Sanitization

The vulnerability stems from a classic Time-of-Check-to-Time-of-Use (TOCTOU) bug in FreeScout’s file-upload routine. The code performs a “dot-prefix” check before it strips invisible Unicode characters. An attacker can prepend a zero-width space (U+200B) to the filename, causing the check to see a benign string (e.g., _​ .htaccess) and allow the upload. During the subsequent sanitization step, the invisible character is removed, and the file is written to disk as a true .htaccess file.

Exploitation Flow

1. Attacker crafts an email with an attachment named "\u200B.htaccess".
2. The email is sent to any mailbox monitored by a vulnerable FreeScout instance.
3. FreeScout parses the message and writes the attachment to the upload directory.
4. Initial validation passes because the filename does not start with a visible dot.
5. Sanitization strips U+200B, leaving ".htaccess" on disk.
6. Apache, with AllowOverride All, reads the new .htaccess and applies attacker-controlled directives.
7. Arbitrary PHP code execution follows (e.g., php_value auto_prepend_file /tmp/shell.php).
8. Attacker gains a reverse shell, full OS access, and can pivot laterally.

Why the Patch for CVE-2026-27636 Failed

The earlier fix attempted to block dot-prefixed filenames by appending an underscore to the extension, effectively turning .htaccess into .htaccess_. However, because the check occurs before invisible characters are stripped, the zero-width space bypasses the block entirely. The resulting file is saved with the original .htaccess name, rendering the mitigation ineffective.

Impact Analysis

The attack surface is surprisingly broad:

  • All self-hosted FreeScout deployments version 1.8.206 and earlier are vulnerable.
  • The exploit works on any Apache server where AllowOverride All is enabled-a default in many FreeScout installation guides.
  • No authentication, no privileged credentials, and no user interaction are required; merely receiving an email triggers the chain.
  • Successful exploitation gives the attacker root-level code execution (or at least the same privileges as the Apache process, which is often www-data or a system user).
  • Consequences include exfiltration of help-desk tickets, customer data, internal communications, and the ability to install ransomware or move laterally to other services on the same network.

Given the typical deployment model-small-to-medium businesses running FreeScout on inexpensive VPS or on-premises VMs-the impact can be catastrophic, turning a modest support portal into a foothold for full-scale compromise.

Timeline of Events

  • 2026-02-20 - FreeScout releases version 1.8.206, containing the original fix for CVE-2026-27636.
  • 2026-02-28 - Ox Security discovers the zero-width-space bypass and begins internal testing.
  • 2026-03-02 - Public advisory posted on SecurityWeek, detailing CVE-2026-28289.
  • 2026-03-04 - FreeScout maintainers confirm the flaw, assign CVE-2026-28289, and release version 1.8.207 with a proper sanitization routine.
  • 2026-03-05 - This blog post published, urging immediate patching.

Mitigation / Recommendations

  1. Update Immediately: Upgrade to FreeScout v1.8.207 or later. The fix moves the dot-prefix check after Unicode normalization and explicitly rejects zero-width characters.
  2. Hardening Apache: Disable AllowOverride All for the FreeScout upload directory. Use AllowOverride None and manage required directives in the main configuration.
  3. Validate Input Server-Side: Implement a whitelist of allowed file extensions (e.g., images, PDFs) and reject any filename containing control or invisible Unicode characters before any filesystem interaction.
  4. Network Segmentation: Isolate the FreeScout server from critical internal assets. If the web server is compromised, lateral movement will be limited.
  5. Logging & Monitoring: Enable detailed Apache access logs and monitor for newly created .htaccess files in the upload path. Alert on any file creation with a leading dot.
  6. Email Sanitization: Use a mail gateway that strips or rejects attachments with suspicious filenames or Unicode anomalies.
  7. Backup & Recovery: Maintain immutable backups of the FreeScout database and configuration. In the event of compromise, a clean restore can be performed quickly.

Real-World Impact

Organizations that rely on FreeScout for customer support often store sensitive ticket data, personal identifiers, and even payment-related communications. A compromised FreeScout instance can therefore become a gold mine for threat actors seeking credential stuffing material, phishing kits, or ransomware negotiation leverage. Moreover, because the exploit is triggered via email-an everyday communication channel-many businesses will be exposed before they even realize they are under attack.

Early adopters of the patch have reported that the new sanitization routine adds negligible overhead while fully eliminating the zero-width-space bypass. However, enterprises that cannot patch immediately should consider a temporary mitigation: move the upload directory outside the web root and serve files via a dedicated file-serving service that does not interpret .htaccess files.

Expert Opinion

From a broader industry perspective, CVE-2026-28289 underscores two recurring themes in web-application security:

  • Invisible characters as an attack vector: Unicode normalization is often overlooked in input validation. Attackers routinely exploit zero-width spaces, right-to-left marks, and other non-printing characters to subvert naïve string checks.
  • Patch-bypass chains: The fact that a fix for a high-severity bug (CVE-2026-27636) could be bypassed so readily highlights the need for defense-in-depth. Relying on a single “dot-prefix” block is insufficient; comprehensive sanitization and configuration hardening must go hand-in-hand.

Going forward, developers of open-source SaaS-like tools should adopt a “secure-by-default” posture: disable AllowOverride wherever possible, enforce strict MIME-type checks, and treat any filename containing Unicode control characters as malicious. For operators, the lesson is clear-regularly audit third-party applications for TOCTOU patterns and keep an eye on the security mailing lists of the projects they depend on.

In short, CVE-2026-28289 is a wake-up call for the FreeScout community and for any organization that self-hosts web-based collaboration tools. Prompt patching, configuration hardening, and vigilant monitoring are the only reliable defenses against this zero-click, full-system compromise.