FreeScout Zero-Click RCE Lets Hackers Hijack Servers via Email

A critical zero-click vulnerability in FreeScout, the popular open-source help desk platform, allows attackers to completely compromise servers by sending a single malicious email. No authentication, no user interaction—just an email to any monitored inbox.

CVE-2026-28289 carries a maximum CVSS score of 10.0. Security researchers at OX Security discovered the flaw while analyzing a patch for a related vulnerability, CVE-2026-27636.

How the Attack Works

The vulnerability exploits a time-of-check to time-of-use (TOCTOU) race condition in FreeScout's filename sanitization. When the application processes email attachments, it validates filenames to prevent dangerous uploads. But attackers can bypass this by prepending a zero-width space character (Unicode U+200B) to filenames.

Here's the exploitation chain:

1. Attacker sends an email with a malicious .htaccess file attachment
2. The filename includes an invisible zero-width space before the dot
3. FreeScout's validation sees [invisible].htaccess and allows it
4. The sanitization function strips the invisible character after validation
5. The file saves as .htaccess, enabling arbitrary PHP code execution

This technique works because Apache treats .htaccess files as configuration directives, allowing attackers to enable PHP execution in otherwise restricted directories.

Affected Systems

All FreeScout installations running version 1.8.206 or earlier are vulnerable when hosted on Apache with AllowOverride All enabled—a common default configuration. According to OX Security's research, approximately 1,100 publicly exposed FreeScout instances are discoverable via Shodan.

Affected organizations span:

• Public health institutions
• Financial services firms
• Technology providers
• News organizations

The vulnerability shares characteristics with other critical web application flaws we've covered, including the recent Zoom Meeting Room CVSS 9.9 RCE that also allowed remote attackers to compromise enterprise infrastructure.

Why This Matters

Help desk applications are attractive targets because they necessarily accept input from untrusted sources—that's their entire purpose. FreeScout handles sensitive customer communications, support tickets, and often integrates with internal systems. A compromise gives attackers access to customer data, internal communications, and potentially lateral movement into connected systems.

The zero-click nature makes this particularly dangerous. Unlike phishing attacks that require user interaction, CVE-2026-28289 executes automatically when FreeScout processes an incoming email. Attackers don't need credentials, social engineering, or even knowledge of specific users—just an email address the system monitors.

Recommended Mitigations

1. Upgrade immediately to FreeScout version 1.8.207 or later, where the vulnerability is patched
2. Disable AllowOverride in Apache configuration for the FreeScout directory, even on patched versions
3. Review access logs for suspicious attachment uploads or unexpected .htaccess file creation
4. Implement network segmentation to limit blast radius if help desk servers are compromised
5. Consider WAF rules to block requests containing zero-width space characters in filenames

For organizations needing additional guidance on vulnerability management priorities, the Firefox 147 security update earlier this year highlighted similar challenges with prioritizing patches across diverse software portfolios.

Frequently Asked Questions

Is my FreeScout installation affected?

If you're running version 1.8.206 or earlier on Apache with AllowOverride All enabled, yes. Check your version in the FreeScout admin panel under System > About.

Can attackers exploit this remotely without any prior access?

Yes. The vulnerability requires only that an attacker can send email to any address monitored by FreeScout. No authentication or prior access is needed.

What should I do if I can't upgrade immediately?

As a temporary mitigation, disable AllowOverride All in your Apache configuration for the FreeScout directory. This prevents .htaccess files from being processed but may break some functionality.