CVE-2026-28289
📋 TL;DR
This CVE describes a patch bypass vulnerability in FreeScout help desk software that allows authenticated users with file upload permissions to achieve Remote Code Execution (RCE) by uploading malicious .htaccess files. Attackers bypass security checks using zero-width space characters in filenames due to a TOCTOU flaw in the sanitization function. All FreeScout instances running version 1.8.206 or earlier are affected.
💻 Affected Systems
- FreeScout
📦 What is this software?
Freescout by Freescout
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Authenticated attackers with file upload permissions gain RCE, potentially compromising the FreeScout instance and accessing sensitive help desk data.
If Mitigated
With proper access controls limiting file upload permissions and network segmentation, impact is limited to the FreeScout application only.
🎯 Exploit Status
Exploitation requires authenticated access with file upload permissions. The vulnerability is a patch bypass for CVE-2026-27636, making exploitation techniques well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.207
Vendor Advisory: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp
Restart Required: No
Instructions:
1. Backup your FreeScout instance and database. 2. Download version 1.8.207 from the official repository. 3. Replace the affected files, particularly app/Http/Helper.php. 4. Clear Laravel cache if applicable. 5. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Restrict file upload permissions
allTemporarily remove file upload permissions from all non-essential users until patching can be completed.
# Modify user roles in FreeScout admin panel to remove file upload capabilities
Block .htaccess file uploads
linuxImplement web application firewall rules or server configuration to block uploads of .htaccess files.
# For Apache: SetEnvIf Request_URI ".htaccess" block_upload
# For Nginx: location ~* \.htaccess$ { deny all; }
🧯 If You Can't Patch
- Implement strict access controls to limit file upload permissions to only absolutely necessary users
- Deploy web application firewall with rules to detect and block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check FreeScout version in admin panel or by examining the application files. Versions 1.8.206 or earlier are vulnerable.Check Version:
Check FreeScout admin panel or examine version in app/version.php fileVerify Fix Applied:
After updating to 1.8.207, verify the sanitizeUploadedFileName() function in app/Http/Helper.php properly handles zero-width characters before dot-prefix checks.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts
- Successful uploads of .htaccess files
- Unusual file names containing special characters
Network Indicators:
- POST requests to file upload endpoints with unusual filenames
- Subsequent suspicious requests following file uploads
SIEM Query:
source="web_server" AND (uri="*upload*" OR filename="*.htaccess*") AND (status=200 OR status=201)