CVE-2026-26333
📋 TL;DR
Calero VeraSMART versions before 2022 R1 expose an unauthenticated .NET Remoting service on port 8001, allowing remote attackers to read/write arbitrary files and potentially achieve remote code execution via ViewState manipulation. This affects organizations using vulnerable VeraSMART installations, particularly those with internet-facing instances.
💻 Affected Systems
- Calero VeraSMART
📦 What is this software?
Verasmart by Calero
Verasmart by Calero
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the IIS server, complete compromise of the VeraSMART application and underlying system, credential theft via NTLMv2 hash capture, and lateral movement within the network.
Likely Case
Unauthenticated attackers reading sensitive configuration files (web.config) containing machine keys, potentially leading to ViewState-based RCE or credential theft via SMB relay attacks.
If Mitigated
Limited to internal network access only, reducing exposure to trusted users; proper network segmentation and authentication controls would prevent exploitation.
🎯 Exploit Status
Exploitation requires understanding of .NET Remoting, SOAP/binary formatters, and ASP.NET ViewState manipulation, but tools may exist in underground communities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 R1 or later
Vendor Advisory: https://www.calero.com/
Restart Required: No
Instructions:
1. Upgrade VeraSMART to version 2022 R1 or later. 2. Verify the .NET Remoting service on port 8001 is no longer exposed or properly secured. 3. Review and update IIS machine keys if compromised.
🔧 Temporary Workarounds
Block Port 8001
WindowsBlock inbound and outbound traffic to TCP port 8001 at the network firewall or host firewall to prevent remote access to the vulnerable service.
netsh advfirewall firewall add rule name="Block_VeraSMART_8001" dir=in action=block protocol=TCP localport=8001
netsh advfirewall firewall add rule name="Block_VeraSMART_8001_Out" dir=out action=block protocol=TCP remoteport=8001
Disable .NET Remoting Service
WindowsDisable the vulnerable .NET Remoting HTTP service in VeraSMART configuration or Windows Services if not required for functionality.
sc stop "VeraSMART_Remoting_Service"
sc config "VeraSMART_Remoting_Service" start= disabled
🧯 If You Can't Patch
- Isolate the VeraSMART server in a restricted network segment with no internet access and minimal internal access.
- Implement strict network access controls (firewall rules) to allow only trusted IPs to port 8001, and monitor for unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check if TCP port 8001 is listening on the VeraSMART server and accessible remotely; test with a network scanner or attempt to connect to EndeavorServer.rem or RemoteFileReceiver.rem endpoints.Check Version:
Check VeraSMART application version via its administrative interface or installed programs list in Windows.Verify Fix Applied:
After patching, verify port 8001 is no longer accessible or the service responds with authentication requirements; check VeraSMART version is 2022 R1 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual access to port 8001 in firewall or IIS logs
- Failed or successful connections to EndeavorServer.rem or RemoteFileReceiver.rem
- Unexpected file read/write operations in system or application logs
Network Indicators:
- Inbound traffic to TCP port 8001 from untrusted sources
- Outbound SMB connections from the VeraSMART server to external IPs
- Anomalous SOAP or binary data over port 8001
SIEM Query:
source="firewall" dest_port=8001 AND action=allow | stats count by src_ip