Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical vulnerabilities in FreeScout could be exploited to achieve remote code execution, Patch Immediately!
Image
Gepubliceerd : 25/02/2026
- Last update: 04/03/2026
- Affected software: FreeScout Help Desk
- Type: Remote Code Execution (RCE)
- CVE/CVSS
→ CVE-2026-27636: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-27637: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-28289: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
FreeScout advisory (CVE-2026-27636) - https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
FreeScout advisory (CVE-2026-27637) - https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
Risks
In February 2026, FreeScout released two advisories for critical vulnerabilities in FreeScout, a help desk solution. The two vulnerabilities – CVE-2026-27636 and CVE-2026-27637 – can be chained, or exploited independently, to achieve remote code execution. There is no indication of active exploitation (cut-off date: 25 Feb 2026).
FreeScout is a popular help desk solution. Such solutions typically contain valuable customer data and are often connected with various internal applications, making it a prime target for further pivoting.
UPDATE 04/03/2026 (Update 1):
Proof of concepts exist where CVE-2026-28289 can be exploited with zero-click, simply with a crafted email.
If exploited, any of these remote code execution vulnerabilities could lead to full server/system takeover, and data exfiltration of sensitive support/inbox data stored in FreeScout including helpdesk tickets and mailbox content. Exploitation could also be used by threat actors for lateral movement to other systems in the same network.
UPDATE 04/03/2026 (Update 2):
There is a patch bypass for CVE-2026-27636 that could allow any authenticated user with file upload permissions to achieve remote code execution on a FreeScout server running any version prior to v1.8.207. This bypass was assigned the identifier CVE-2026-28289. It has the maximum CVSS score of 10.0.
All FreeScout 1.8.206 installations are affected when running on Apache with AllowOverride All enabled (a common configuration). Any organisation with a support email based on FreeScout is affected by CVE-2026-28289 until it has patched to v1.8.207.
Description
CVE-2026-27636 is a critical vulnerability affecting FreeScout Help Desk. The issue lies in the file upload restriction list in app/Misc/Helper.php, which fails to block .htaccess and .user.ini files. On Apache servers with the common configuration AllowOverride All, an authenticated attacker can upload a .htaccess file to redefine how files are processed, thereby enabling remote code execution.
With the ability to perform remote code execution, an attacker could execute arbitrary systems commands on the server, read or write files on the filesystem, pivot to other services and internal networks, as well as exfiltrate any data including database credentials.
This vulnerability can be exploited by any authenticated user (any role, including agents) on a FreeScout instance running on Apache with AllowOverride All.
CVE-2026-273636 can be exploited independently, or jointly in combination with CVE-2026-27637.
CVE-2026-27637 is a critical vulnerability affecting FreeScout Help Desk. The flaw relies in the “TokenAuth” middleware which generates authentication tokens using a predictable. Because this token is static, and if an attacker obtains the APP-KEY, they can compute a valid token for any user, including administrators. This would enable a remote attacker to achieve full account takeover without any password. As a result, the attacker would gain access to all helpdesk conversations and customer data, have the ability to modify settings and create new admin accounts, have the potential to compromise the server further through admin functionality.
CVE-2026-27637 affects all FreeScout installations where the APP_KEY may be exposed through any common Laravel misconfiguration vector.
UPDATE (04/03/2026)
CVE‑2026‑28289 is a critical unauthenticated remote code execution vulnerability affecting FreeScout Help Desk. This CVE is a patch bypass for CVE-2026-27636. If you have patched for CVE-2026-27636 (patch v1.8.206), you are vulnerable until you apply patch v.1.8.207.
The flaw lies in the sanitizeUploadedFileName() function, which contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters.
An attacker without a valid user account could exploit CVE-2026-28289 to execute arbitrary system commands on the server, leading to full server compromise, access to all stored emails, conversations, and attachments, and service disruption. In addition, a threat actor could leverage it for lateral movement into internal networks.
Proofs of concept exist that exploit this vulnerability with a single crafted email, converting it into a zero-click RCE.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
It is recommended to disable AllowOverrideAll in the Apache configuration on the FreeScout server if possible.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
OX Security report - https://www.ox.security/blog/freescout-rce-cve-2026-28289/