Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical vulnerabilities in FreeScout could be exploited to achieve remote code execution, Patch Immediately!
Image
Published : 25/02/2026
- Last update: 25/02/2026
- Affected software: FreeScout Help Desk
- Type: Remote Code Execution (RCE)
- CVE/CVSS
→ CVE-2026-27636: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-27637: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
FreeScout advisory (CVE-2026-27636) - https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
FreeScout advisory (CVE-2026-27637) - https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
Risks
In February 2026, FreeScout released two advisories for critical vulnerabilities in FreeScout, a help desk solution. The two vulnerabilities – CVE-2026-27636 and CVE-2026-27637 – can be chained, or exploited independently, to achieve remote code execution. There is no indication of active exploitation (cut-off date: 25 Feb 2026).
FreeScout is a popular help desk solution. Such solutions typically contain valuable customer data and are often connected with various internal applications, making it a prime target for further pivoting.
Description
CVE-2026-27636 is a critical vulnerability affecting FreeScout Help Desk. The issue lies in the file upload restriction list in app/Misc/Helper.php, which fails to block .htaccess and .user.ini files. On Apache servers with the common configuration AllowOverride All, an authenticated attacker can upload a .htaccess file to redefine how files are processed, thereby enabling remote code execution.
With the ability to perform remote code execution, an attacker could execute arbitrary systems commands on the server, read or write files on the filesystem, pivot to other services and internal networks, as well as exfiltrate any data including database credentials.
This vulnerability can be exploited by any authenticated user (any role, including agents) on a FreeScout instance running on Apache with AllowOverride All.
CVE-2026-273636 can be exploited independently, or jointly in combination with CVE-2026-27637.
CVE-2026-27637 is a critical vulnerability affecting FreeScout Help Desk. The flaw relies in the “TokenAuth” middleware which generates authentication tokens using a predictable. Because this token is static, and if an attacker obtains the APP-KEY, they can compute a valid token for any user, including administrators. This would enable a remote attacker to achieve full account takeover without any password. As a result, the attacker would gain access to all helpdesk conversations and customer data, have the ability to modify settings and create new admin accounts, have the potential to compromise the server further through admin functionality.
CVE-2026-27637 affects all FreeScout installations where the APP_KEY may be exposed through any common Laravel misconfiguration vector.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.