A critical vulnerability in the open-source help desk platform FreeScout allows attackers to remotely execute code on vulnerable servers without any user interaction – a so-called “zero-click” exploit. The flaw, tracked as CVE-2026-28289, bypasses a recent security fix (CVE-2026-27636) and poses a significant risk to organizations using the platform.
Researchers at OX Security discovered the vulnerability, explaining that a malicious actor can exploit it simply by sending a crafted email to any address configured within FreeScout. This makes the vulnerability particularly dangerous, as it doesn’t require a user to click a link or open a malicious attachment – the mere receipt of the email is enough to potentially compromise the system.
The initial fix attempted to prevent dangerous file uploads by restricting file extensions and blocking filenames starting with a dot. However, the OX Research team found a way to circumvent this protection by inserting a zero-width space character (Unicode U+200B) before the filename. This invisible character bypasses the validation checks, allowing the file to be saved as a dotfile and triggering the original vulnerability, CVE-2026-27636.
As OX Security explained in a blog post, the vulnerability allows attackers to upload malicious files, such as .htaccess files, which can then be used to execute arbitrary commands on the server. The exploit chain leverages a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function within FreeScout’s code.
FreeScout is a self-hosted alternative to popular help desk solutions like Zendesk and Help Scout, used by organizations to manage customer support emails and tickets. According to OX Research, Shodan scans revealed approximately 1,100 publicly exposed instances of FreeScout, indicating a potentially wide attack surface. The project’s GitHub repository currently has over 4,100 stars and 620 forks, further demonstrating its popularity.
The vulnerability affects all versions of FreeScout up to and including 1.8.206. The FreeScout team released version 1.8.207 four days ago to address the issue. The National Vulnerability Database (NVD) is currently undergoing analysis of CVE-2026-28289, but GitHub has assigned a critical severity score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), highlighting the severity of the risk. More details are available on the NVD website.
Successful exploitation of CVE-2026-28289 could lead to a full server compromise, data breaches, lateral movement within a network, and service disruption, according to the FreeScout team. Immediate patching is strongly advised. OX Research also recommends disabling ‘AllowOverrideAll’ in the Apache configuration, even after upgrading to version 1.8.207, as an additional security measure.
As of today, March 5, 2026, there have been no reports of active exploitation of CVE-2026-28289 in the wild. However, given the ease of exploitation and the potential impact, security experts warn that malicious activity is likely to begin soon. OX Security’s blog post provides a detailed technical analysis of the vulnerability and its exploitation.
Organizations using FreeScout should prioritize updating to version 1.8.207 and review their Apache configurations to mitigate the risk posed by this critical vulnerability. Continued monitoring for exploitation attempts is also recommended.
What comes next will likely involve increased scanning for vulnerable instances and potential exploitation attempts as attackers begin to actively target systems running older versions of FreeScout. Security teams should remain vigilant and prepared to respond to any potential incidents.
Share your thoughts and experiences in the comments below. If you found this information helpful, please share it with your network.
