Calero VeraSMART Static Machine Key Vulnerability Leading to Remote Code Execution

Vulnerability

A remote code execution vulnerability exists in Calero VeraSMART versions prior to 2022 R1. The issue arises from the use of static ASP.NET/IIS machineKey values, which are stored in the application's web.config file. An attacker who retrieves these keys can create a valid ASP.NET ViewState payload that bypasses integrity checks and is accepted by the application. This exploitation leads to server-side deserialization and remote code execution within the context of the IIS application.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed in the context of the IIS application.

Added: Feb 13, 2026, 9:33 PM

Updated: Feb 13, 2026, 11:53 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

3.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

3.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Calero VeraSMART Static Machine Key Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating