Security researchers have urged FreeScout customers to patch a maximum-severity remote code execution (RCE) vulnerability which needs no user interaction to achieve full system compromise.
CVE‑2026‑28289 (Mail2Shell) is actually a bypass for an earlier vulnerability (CVE-2026-27636) in the open source helpdesk platform, which could enable authenticated attackers to hijack targeted systems, according to Ox Security.
“We discovered a patch bypass that allowed us to reproduce the same RCE on newly updated servers, demonstrating how quickly incomplete fixes can be circumvented,” the security vendor explained in a blog post.
“During our deeper analysis, we escalated the attack chain further – converting it into a zero‑click RCE. By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without user interaction.”
Read more on CVSS 10.0 vulnerabilities: New Zero-Click Flaw in Claude Desktop Extensions, Anthropic Declines Fix.
Ox Security claimed that thousands of customers may be at risk. It said FreeScout has over 4000 GitHub stars and around 1100 publicly exposed instances identified via Shodan. The PHP-based Laravel framework on which FreeScout is based is even more widely adopted, with over 83,000 GitHub stars and around 13,000 publicly exposed servers, it added.
Impact and Next Steps
With full server/system takeover, attackers could steal data from helpdesk tickets, mailboxes and other data stored in FreeScout, the security vendor warned. They could also move laterally from FreeScout to other systems on the network.
Ox Security urged FreeScout customers to upgrade immediately to v1.8.207 or later, and to always disable AllowOverrideAll in the Apache configuration on the FreeScout server – even when on the latest version.
The problems associated with faulty or incomplete patches are well documented.
Back in 2021, Google’s Project Zero complained that as many as a quarter of zero-day exploits discovered the year before could have been avoided if vendors had taken a more methodical and comprehensive approach to patching.
Its decision to move to a full 90-day disclosure policy was designed to ensure vendors have more time to perform root cause and variant analysis.
In 2022, Trend Micro’s Zero Day Initiative (ZDI) also complained about poor patch quality across industry, warning that it could be costing customers upwards of $400,000 per faulty update.
It noted both a decline in the quality of patches and vendor communication with customers.
Ox Security said that threat actors “routinely diff patches, probe fixes, and search for variant exploitation paths within hours of disclosure” in order to look for new attack paths. Even mature open source projects and well-resourced vendors have been found wanting in the past.
