A vulnerability in the open-source help desk and shared inbox platform FreeScout could allow attackers to bypass a previously patched remote code execution (RCE) flaw, Ox Security reported Tuesday.FreeScout, which markets itself as a free, self-hosted alternative to Zendesk and Help Scout, is built on the PHP Laravel framework and has more than 4,000 stars on GitHub.Last week, FreeScout patched a high-severity vulnerability tracked as CVE-2026-27636, which would allow any authenticated user to achieve RCE.Ox Security explained that the flaw, originally discovered by Offensive.sa, enabled logged-in users to upload files by attaching them to a draft email, even if the email was not sent.Attackers could use this method to overwrite FreeScout’s “.htaccess” configuration file and add a configuration to treat .txt files as runnable PHP. They could then upload a .txt file enabling command execution and access the file URL to execute arbitrary commands.
Related reading:
FreeScout patched this issue by disallowing the upload of files with certain extensions and files that start with a dot (i.e. dotfiles like .htaccess). However, Ox Security found that by beginning a file name with a zero-width space character (U+200B), they could bypass the dotfile upload restriction. Meanwhile, the file would still be uploaded without the space after processing, allowing .htaccess to be overwritten.This flaw, dubbed “Mail2Shell” by Ox Security and tracked as CVE-2026-28289, was patched by FreeScout on Feb. 27, 2026. The vulnerability was originally assigned a CVSS score of 10 by FreeScout via GitHub, while the National Institute of Standards and Technology (NIST) assessed the flaw at a CVSS score of 7.5 in the National Vulnerability Database (NVD).The vulnerability could also be escalated from an authenticated RCE to an unauthenticated RCE on internet-exposed FreeScout instances, according to Ox Security researchers.A remote attacker could potentially achieve this by sending an email containing the malicious attachments to a mailbox configured in FreeScout. This would cause the files to be uploaded at a predictable path starting with “http://[victim’s domain]/storage/attachment/” that the attacker could then access to run PHP and execute commands, according to Ox Security. A Shodan search revealed about 1,100 publicly exposed FreeScout instances across industries, including public health, technology, financial services and news organizations, Ox Security said.FreeScout users must upgrade to version 1.8.207 or later to be fully patched, as the previously patched version 1.8.206 is still vulnerable to CVE-2026-28289.Users are also recommended to disable AllowOverrideAll in the Apache configuration on the FreeScout server, even if they are fully patched, the researchers said.
Vulnerability Management, Patch/Configuration Management, Email security
‘Mail2Shell’ FreeScout patch bypass exploit leads to RCE

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



