Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
Source: Bleeping Computer
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication.
The flaw is tracked as CVE‑2026‑28289 and bypasses a fix for another remote code execution (RCE) security issue (CVE‑2026‑27636) that could be exploited by authenticated users with upload permissions.
Researchers at OX Security, a company that secures applications from code to runtime, say that an attacker can exploit the new vulnerability by sending a single crafted email to any address configured in FreeScout.
According to them, the fix attempted to block dangerous file uploads by modifying filenames with restricted extensions or those starting with a dot.
The OX Research team discovered that a zero‑width space (Unicode U+200B) could be placed before the filename to bypass the recently introduced validation mechanism, since the character is not treated as visible content. Subsequent processing removes that character, allowing the file to be saved as a dotfile, and hence still triggering CVE‑2026‑27636 exploitation by completely bypassing the latest security checks.
Exploitation chain
Source: OX Research
Making matters worse, CVE‑2026‑28289 can be triggered by a malicious email attachment delivered to a mailbox configured in FreeScout, the researchers say.
The program stores the attachment in “/storage/attachment/…”, enabling the attacker to access the uploaded payload through the web interface and execute commands on the server without authentication or user interaction, making it a zero‑click vulnerability.
“A patch bypass vulnerability in FreeScout 1.8.206 allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero‑width space character prefix to bypass the security check,” the vendor states in a security bulletin.
FreeScout is an open‑source help desk and shared mailbox platform used by organizations to manage customer support emails and tickets. It’s a self‑hosted alternative to Zendesk or Help Scout.
The project’s GitHub repository has 4,100 stars and over 620 forks, and OX Research reports that its Shodan scans returned 1,100 publicly exposed instances, indicating it’s a widely used solution.
Impact and mitigation
- Affected versions: All FreeScout versions up to and including 1.8.206.
- Patched in: Version 1.8.207 (released four days ago).
- Potential consequences: Full server compromise, data breaches, lateral movement into internal networks, and service disruption. Immediate patching is advised.
OX Research also recommends disabling AllowOverride All in the Apache configuration on the FreeScout server, even when running version 1.8.207.
No active exploitation of CVE‑2026‑28289 has been observed in the wild at the time of writing, but the nature of this flaw makes the risk of malicious activity starting soon very high.