A critical vulnerability in FreeScout, a popular open-source help desk platform, is being actively exploited, allowing attackers to execute remote code without user interaction. The flaw, tracked as CVE-2026-28289, has been assigned a CVSS score of 8.1, indicating its high severity. This vulnerability stems from a patch bypass in FreeScout versions 1.8.206 and earlier, which permits any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) by uploading a malicious file.
The vulnerability is particularly concerning due to its zero-click nature, meaning that attackers can exploit it without requiring any action from the victim. This is achieved through a crafted email that leverages the vulnerability to execute arbitrary code on the server. The exploitability of this flaw is underscored by the availability of both a proof-of-concept (PoC) and an exploit, which have been circulating since March 3, 2026.
The vulnerability is categorized under CWE-434, which involves unrestricted file upload, a common vector for RCE attacks. The exploit's timeline, with a TTE of -3.0 days, indicates that the PoC and exploit were available even before the vulnerability was publicly disclosed, suggesting that attackers may have had early access to the exploit details.
FreeScout, built on PHP's Laravel framework, is widely used by organizations seeking a free, self-hosted help desk solution. The impact of this vulnerability is significant, as it could allow attackers to gain full control over the affected systems, potentially leading to data breaches or further exploitation within the network.
Administrators of FreeScout installations are urged to apply the latest patches immediately to mitigate the risk of exploitation. Given the active exploitation and the high severity of the vulnerability, organizations should prioritize this update and review their systems for any signs of compromise. Additionally, monitoring for unusual activity and implementing strict file upload policies can help reduce the risk of similar vulnerabilities in the future.
CSURFACE