CVE-2025-54366
📋 TL;DR
CVE-2025-54366 is a critical deserialization vulnerability in FreeScout help desk software that allows authenticated attackers with knowledge of the APP_KEY to achieve remote code execution. The vulnerability affects versions 1.8.185 and below, enabling complete compromise of the web application through manipulation of attachment parameters. Organizations running vulnerable FreeScout instances are at risk of data theft, system takeover, and lateral movement.
💻 Affected Systems
- FreeScout Help Desk
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data exfiltration, installation of persistent backdoors, lateral movement to other systems, and potential ransomware deployment.
Likely Case
Attacker gains shell access to the web server, steals sensitive customer support data and credentials, and uses the compromised system as a foothold for further attacks.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring that detects exploitation attempts early.
🎯 Exploit Status
Exploitation requires authenticated access and APP_KEY knowledge, but the vulnerability is in a core function with clear attack vectors
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.186
Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj
Restart Required: Yes
Instructions:
1. Backup your FreeScout installation and database. 2. Download version 1.8.186 from the official repository. 3. Replace the vulnerable files with patched versions. 4. Clear Laravel cache (php artisan cache:clear). 5. Restart your web server (e.g., systemctl restart apache2).
🔧 Temporary Workarounds
Block Vulnerable Endpoint
linuxTemporarily block access to the vulnerable /conversation/ajax endpoint via web server configuration
# For Apache: add to .htaccess
RewriteRule ^conversation/ajax.*$ - [F,L]
# For Nginx: add to server block
location ~ ^/conversation/ajax { deny all; }
Rotate APP_KEY
allChange the APP_KEY to invalidate attacker knowledge of this required component
php artisan key:generate
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FreeScout from critical systems
- Deploy a WAF with rules to detect and block deserialization attacks on the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check FreeScout version in admin panel or examine composer.json for version <=1.8.185Check Version:
grep -r "version" composer.json | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Confirm version is 1.8.186 or higher in admin panel or composer.json📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /conversation/ajax with large or malformed attachment parameters
- PHP errors related to unserialize() or Helper::decrypt() functions
- Unexpected process execution from web server user
Network Indicators:
- HTTP requests with serialized data in POST parameters
- Outbound connections from web server to unfamiliar IPs
SIEM Query:
source="web_server_logs" AND (uri="/conversation/ajax" AND method="POST" AND (attachment* OR Helper::decrypt))