FreeScout, a self-hosted customer support platform used by hundreds of organizations worldwide, contains a maximum-severity vulnerability that allows attackers to execute arbitrary code on a server by sending a single malicious email, with no authentication or user interaction required.
The flaw, tracked as CVE-2026-28289, was discovered by researchers at OX Security and affects all FreeScout versions up to and including 1.8.206. A patch was released in version 1.8.207 four days ago.
How the Attack Works
CVE-2026-28289 is technically a bypass of a fix for an earlier vulnerability, CVE-2026-27636, which allowed authenticated users with file upload permissions to achieve remote code execution. The earlier patch attempted to block dangerous files by restricting uploads based on filename extensions or files beginning with a dot.
OX Security’s research team found that inserting a zero-width space character, Unicode U+200B, before a filename defeats that validation entirely. Because the character carries no visible content, the system does not flag it. Subsequent processing strips the character out, and the file lands on the server as a dotfile, triggering the original exploit path as if the patch never existed.
The attack vector makes this especially serious. An attacker can deliver a malicious attachment to any email address configured in FreeScout. The platform stores that attachment automatically in /storage/attachment/, and the payload becomes accessible through the web interface. From there, the attacker can execute commands on the server with no further steps required.
Scope of Exposure
FreeScout positions itself as an open-source alternative to Zendesk and Help Scout. Its GitHub repository has 4,100 stars and over 620 forks. OX Security’s Shodan scans identified 1,100 publicly exposed instances, suggesting the platform’s deployment base is meaningful in scale.
More Read
The consequences of successful exploitation, as outlined by the FreeScout team, include full server compromise, data breaches, lateral movement into internal networks, and service disruption.
What to Do Now
Upgrading to version 1.8.207 is the primary recommended action. OX Security has also advised administrators to disable AllowOverrideAll in Apache’s configuration on any FreeScout server, even after applying the patch, as an additional layer of defense.
- Affected versions: FreeScout 1.8.206 and all earlier releases
- Fixed version: FreeScout 1.8.207
- CVE severity: Maximum
- Publicly exposed instances detected: 1,100
- Attack requirement: None (zero-click, zero authentication)
No active exploitation of CVE-2026-28289 has been observed as of the time of writing. Given that the vulnerability requires nothing more than sending an email, the window before potential abuse narrows quickly once details are public.
This article is a curated summary based on third-party sources. Source: Read the original article
