What Happened

Security researchers at OX Security discovered CVE-2026-28289, a critical vulnerability in FreeScout, a popular open-source helpdesk platform. They named the attack Mail2Shell — and the name is accurate.

An attacker can take over a FreeScout server by sending a single email to any address configured in the platform. No authentication required. No user interaction needed. The email itself is the exploit.

CVSS score: 10.0 — the maximum possible severity.

How It Works

CVE-2026-28289 is a patch bypass. FreeScout had previously fixed a similar vulnerability, CVE-2026-27636, which allowed attackers to upload dangerous files (like .htaccess or .user.ini) as email attachments. The fix in FreeScout v1.8.206 added a validation check that blocked filenames starting with a dot (.).

The bypass is elegant in its simplicity:

Step 1: The Zero-Width Space Trick

The attacker prepends a Zero-Width Space character (Unicode U+200B) to the malicious filename. For example, instead of .htaccess, the attachment is named [U+200B].htaccess.

This invisible character passes the filename validation check — the string doesn't start with a dot, it starts with a zero-width space. But later in the processing chain, the U+200B character is stripped, and the file is saved to disk as a legitimate .htaccess file.

Step 2: The Payload

The attacker sends an email with two attachments:

1. A crafted .htaccess file that reconfigures Apache to execute .jpg files as PHP
2. A webshell disguised as an image file — a PHP payload with a .jpg extension

Step 3: The Execution

When FreeScout processes the incoming email:

1. It saves both attachments to disk at a predictable location within FreeScout's web-accessible directory
2. The .htaccess file tells Apache to treat .jpg files in that directory as PHP scripts
3. The attacker navigates to the webshell URL and executes arbitrary commands on the server

Result: full server compromise from one email.

Why This Is Particularly Dangerous

Zero-Click, Zero-Auth

Most RCE vulnerabilities require some form of user interaction or authentication. CVE-2026-28289 requires neither. If FreeScout is configured to receive email (which is its primary function), the server is exploitable. The victim doesn't need to open the email, click a link, or even log into the platform.

Predictable File Paths

The attachments are saved to a known location on the server's filesystem, which means the attacker knows exactly where to access the webshell after the email is processed.

Patch Bypass

This vulnerability specifically bypasses an existing security fix. Organizations that thought they were protected after updating to v1.8.206 were still vulnerable. This is a reminder that security patches deserve the same adversarial scrutiny as the original vulnerability.

Who's Affected

• All FreeScout versions up to and including v1.8.206 are vulnerable
• According to Shodan, approximately 1,100 FreeScout instances are publicly exposed on the internet
• Affected organizations span public health institutions, financial services, technology providers, and news organizations

The exposure number may seem small, but FreeScout instances process sensitive data by nature — they're helpdesks. A compromised helpdesk gives attackers access to customer communications, support tickets, internal discussions, and potentially credentials shared in tickets.

What You Need to Do

Update Immediately

FreeScout v1.8.207 patches this vulnerability. Update now.

# If you installed via git
cd /path/to/freescout
git pull
php artisan freescout:after-app-update

Harden Apache Configuration

Even after updating, disable AllowOverride All in your Apache configuration for the FreeScout directory. This prevents .htaccess files from overriding server configuration, neutralizing this entire class of attack:

<Directory /path/to/freescout/public>
    AllowOverride None
</Directory>

Check for Compromise

If you were running FreeScout v1.8.206 or earlier with public email ingestion:

1. Search for unexpected .htaccess files in your FreeScout attachment directories
2. Look for .jpg, .png, or .gif files that contain PHP code
3. Review Apache access logs for requests to attachment directories
4. Check for unusual outbound connections from the FreeScout server

Consider Network Isolation

If your helpdesk processes sensitive data, it shouldn't be running on the same network segment as your production infrastructure without proper segmentation. A compromised helpdesk server that can reach your internal network is a lateral movement opportunity.

The Bigger Picture

CVE-2026-28289 highlights a recurring pattern in open-source security: patches that don't fully address the root cause create a false sense of security. The original fix for CVE-2026-27636 blocked obvious attack vectors but didn't account for Unicode edge cases in filename processing.

This is also a case study in why defense in depth matters. If the FreeScout deployment had AllowOverride None in the Apache configuration, the .htaccess bypass wouldn't have mattered. If the attachment directory wasn't web-accessible, the webshell couldn't have been reached. Multiple layers of defense would have stopped this attack even without the patch.

For anyone running open-source helpdesk software in production: treat it like any other internet-facing application. Harden the web server. Restrict file upload handling. Monitor for anomalous behavior. And update the moment patches are available.

---

Sources

• FreeScout vulnerability enables unauthenticated, zero-click RCE via email (CVE-2026-28289) — Help Net Security
• Mail2Shell – CVE-2026-28289: New Zero-Click RCE On FreeScout — OX Security
• Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers — BleepingComputer
• Critical FreeScout Vulnerability Leads to Full Server Compromise — SecurityWeek
• 'Mail2Shell' FreeScout patch bypass exploit leads to RCE — SC Media