CVE-2026-26335
📋 TL;DR
This vulnerability allows attackers to achieve remote code execution on Calero VeraSMART servers by exploiting static ASP.NET machine keys. Attackers can craft malicious ViewState payloads that bypass integrity validation, leading to server-side deserialization and code execution. Organizations using VeraSMART versions before 2022 R1 are affected.
💻 Affected Systems
- Calero VeraSMART
📦 What is this software?
Verasmart by Calero
Verasmart by Calero
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the VeraSMART server with SYSTEM-level privileges, enabling data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution in IIS application context, allowing data exfiltration, credential harvesting, and further network exploitation.
If Mitigated
Attackers gain initial access but are contained by network segmentation and application sandboxing.
🎯 Exploit Status
Requires obtaining machine keys from web.config file first; then crafting ViewState payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 R1 or later
Vendor Advisory: https://www.calero.com/
Restart Required: No
Instructions:
1. Upgrade VeraSMART to version 2022 R1 or later. 2. Verify web.config no longer contains static machine keys. 3. Ensure proper IIS application pool recycling.
🔧 Temporary Workarounds
Regenerate Machine Keys
WindowsManually regenerate and update machineKey values in web.config to unique, strong values.
Use ASP.NET IIS Registration Tool (aspnet_regiis) to generate new keys
Update <machineKey> section in C:\Program Files (x86)\Veramark\VeraSMART\WebRoot\web.config
🧯 If You Can't Patch
- Restrict access to web.config file using NTFS permissions and IIS request filtering
- Implement network segmentation and firewall rules to limit VeraSMART server access
🔍 How to Verify
Check if Vulnerable:
Check C:\Program Files (x86)\Veramark\VeraSMART\WebRoot\web.config for static <machineKey> values; if present and identical across installations, system is vulnerable.Check Version:
Check VeraSMART application version via administrative interface or installed programs listVerify Fix Applied:
Verify web.config contains auto-generated or unique machineKey values, and VeraSMART version is 2022 R1 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual ViewState payload sizes in IIS logs
- Failed deserialization events in Windows Event Logs
- Unauthorized access attempts to web.config file
Network Indicators:
- Malformed ASP.NET ViewState requests to VeraSMART endpoints
- Unusual outbound connections from VeraSMART server
SIEM Query:
source="IIS" AND (uri="*.aspx" OR uri="*.ashx") AND (bytes_received>10000 OR status=500) | stats count by src_ip