CVE-2025-58163
📋 TL;DR
CVE-2025-58163 is a remote code execution vulnerability in FreeScout help desk software where authenticated attackers with knowledge of the application's APP_KEY can execute arbitrary commands on the server. The vulnerability affects FreeScout versions 1.8.185 and earlier, allowing attackers to craft malicious serialized PHP objects that get deserialized without proper validation. This affects all organizations running vulnerable FreeScout installations.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the web server, steal customer data and credentials, deface the help desk interface, and use the system for further attacks.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and monitoring catching exploitation attempts before damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the APP_KEY, which may be obtained through other vulnerabilities or misconfigurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.186
Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-j94w-q9gj-c37g
Restart Required: Yes
Instructions:
1. Backup your FreeScout installation and database. 2. Download version 1.8.186 from the official repository. 3. Replace the vulnerable files with patched versions. 4. Clear Laravel cache: php artisan cache:clear. 5. Restart your web server (Apache/Nginx). 6. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
linuxTemporarily block access to the vulnerable endpoint via web server configuration or WAF rules.
# For Apache: RewriteRule ^/help/.*/auth/.* - [F]
# For Nginx: location ~ ^/help/.*/auth/.* { return 403; }
Rotate APP_KEY
allChange the APP_KEY in .env file to invalidate existing encrypted data and make exploitation more difficult.
php artisan key:generate
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FreeScout from critical systems
- Deploy a web application firewall (WAF) with rules to detect and block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check FreeScout version in admin panel or by examining the application files. Versions 1.8.185 and earlier are vulnerable.Check Version:
grep -r "VERSION" app/Helpers/Version.php 2>/dev/null || cat app/Helpers/Version.phpVerify Fix Applied:
Verify version is 1.8.186 or later in admin panel or by checking the application files. Test that the vulnerable endpoint no longer processes malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /help/*/auth/* endpoints
- Multiple failed decryption attempts in Laravel logs
- Unexpected PHP errors related to deserialization
Network Indicators:
- HTTP requests with encoded/serialized data in customer_id or timestamp parameters
- Traffic patterns showing exploitation attempts to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND (uri="/help/*/auth/*" AND (status=500 OR user_agent="*serialize*" OR parameters="*O:*"))