FreeScout Remote Code Execution Vulnerability Due to Patch Bypass via Zero-Width Space

A remote code execution vulnerability has been identified in FreeScout versions through 1.8.206. This issue arises from a patch bypass for a previous vulnerability (CVE-2026-27636), allowing any authenticated user with file upload permissions to execute arbitrary code on the server. The vulnerability is rooted in the 'sanitizeUploadedFileName()' function within 'app/Http/Helper.php', where a Time-of-Check to Time-of-Use (TOCTOU) flaw enables the exploitation. By uploading a malicious '.htaccess' file prefixed with a zero-width space character to evade security checks, the vulnerability can be exploited, especially on Apache servers with 'AllowOverride All' enabled.

Impact

Exploitation of this vulnerability leads to unauthenticated remote code execution on the server, with a critical severity rating. This allows an attacker to execute arbitrary commands, potentially compromising the entire server, accessing sensitive data such as emails and attachments, disrupting services, and facilitating lateral movement within internal networks.

Reproduction

To reproduce this vulnerability, log into FreeScout 1.8.206 as an authenticated user with file upload permissions. Upload a '.htaccess' file prefixed with a zero-width space character, along with a 'webshell.txt' file containing a PHP web shell, to a conversation. Once the files are uploaded, the web shell can be accessed and used to execute commands on the server, demonstrating the remote code execution vulnerability.

Remediation

Users can upgrade to FreeScout version 1.8.207, where this vulnerability has been fixed.