{"id":11123,"date":"2026-03-05T10:03:50","date_gmt":"2026-03-05T10:03:50","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/05\/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers\/"},"modified":"2026-03-05T10:03:50","modified_gmt":"2026-03-05T10:03:50","slug":"mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/05\/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers\/","title":{"rendered":"Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers"},"content":{"rendered":"

Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Researchers have uncovered a critical zero-click vulnerability<\/a> in FreeScout, a widely used open-source help desk and shared mailbox application.<\/p>\n

Dubbed \u201cMail2Shell,\u201d this flaw allows attackers to hijack mail servers<\/a> without any user interaction or authentication.<\/p>\n

The vulnerability, tracked as CVE-2026-28289, bypasses a recently patched Remote Code Execution (RCE) flaw, escalating it into an unauthenticated zero-click attack.<\/p>\n

The Zero-Click Escalation Path<\/strong><\/h2>\n

Just days after FreeScout patched an authenticated RCE vulnerability<\/a> (CVE-2026-27636), security analysts found a way to bypass the incomplete fix.<\/p>\n

The original patch attempted to block dangerous file uploads by appending an underscore to files with restricted extensions or names starting with a period.<\/p>\n

\"Attack
Attack Graph (source: OX. Security)<\/figcaption><\/figure>\n

However, attackers can easily bypass this validation by prepending a Zero-Width Space character <\/a>(Unicode U+200B) to the malicious filename.<\/p>\n

\"Blocked
Blocked risky uploads via underscores (source: OX. Security)<\/figcaption><\/figure>\n

Because the system does not treat this hidden character as visible content during the initial security check, the file slips past the filter.<\/p>\n

Later in the processing chain, the server strips the U+200B character, leaving the payload as a dangerous dotfile.<\/p>\n

To exploit this, an attacker sends a crafted email containing the malicious payload<\/a> to any address connected to the FreeScout server.<\/p>\n

The system automatically writes the file to disk in a predictable directory (\/storage\/attachment\/\u2026).<\/p>\n

The hacker can then navigate to the payload via the web interface and execute remote commands instantly. This entire chain requires absolutely no authentication and no interaction from the victim.<\/p>\n

Impact and Immediate Mitigation<\/strong><\/h2>\n

FreeScout is heavily utilized by public health institutions, financial platforms, and technology providers to manage customer support.<\/p>\n

Built on the Laravel PHP framework<\/a>, FreeScout has over 1,100 publicly exposed instances, making it a highly lucrative target for threat actors.<\/p>\n

\"Bypass
Bypass confirmed, escalating to unauthenticated RCE(source :OX. Security)<\/figcaption><\/figure>\n

According to OX Security researchers<\/a>, if exploited, the Mail2Shell vulnerability can lead to complete server takeover.<\/p>\n

Hackers can exfiltrate sensitive helpdesk tickets, steal customer inbox data<\/a>, and use the compromised host to move laterally across the organization\u2019s network.<\/p>\n

\"Payload
Payload accessed, enabling remote server commands(source : OX. Security)<\/figcaption><\/figure>\n

The FreeScout maintainers responded quickly by releasing version 1.8.207 to close the variant attack path.<\/p>\n

Administrators must apply this update immediately, as an older patch does not protect against this zero-click escalation.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers Researchers have uncovered a critical zero-click vulnerability in FreeScout, a widely used open-source help desk and shared mailbox application. Dubbed \u201cMail2Shell,\u201d this flaw allows attackers to hijack mail servers without any user interaction or authentication. The vulnerability, tracked as CVE-2026-28289, bypasses a recently patched Remote Code […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-11123","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11123"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11123"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11123\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}