Mail2Shell: Zero-Click RCE in FreeScout Helpdesk

Zero-Click Email Attack Gives Full Control of FreeScout Servers

Security researchers at OX Security have disclosed Mail2Shell (tracked as CVE-2026-28289), a CVSS 10.0 zero-click, unauthenticated remote code execution vulnerability in FreeScout, a widely-used open-source helpdesk and mail management platform. The flaw requires no authentication, no user interaction, and no prior access — an attacker need only send an email to any mailbox configured in FreeScout to achieve full server compromise.

CVE-2026-28289 is a patch bypass for CVE-2026-27636, a high-severity authenticated RCE vulnerability patched in a prior FreeScout release. The bypass, a Time-of-Check to Time-of-Use (TOCTOU) flaw in the platform's filename sanitization routine, elevates the severity from authenticated to completely unauthenticated — and from interactive to zero-click.

The vulnerability was patched in FreeScout version 1.8.207, released alongside the disclosure.

Vulnerability Summary

Technical Deep Dive

The Original Flaw: CVE-2026-27636

CVE-2026-27636 was an authenticated RCE vulnerability in FreeScout's file attachment handling. An authenticated user could upload a malicious .htaccess file disguised as an email attachment, which Apache would then interpret as a configuration file — enabling execution of arbitrary server-side commands.

FreeScout's maintainers patched CVE-2026-27636 by adding a filename validation check: any filename beginning with a dot (.) would be rejected, preventing .htaccess from being saved to disk.

The Patch Bypass: CVE-2026-28289

OX Security researchers discovered that the patch for CVE-2026-27636 contains a TOCTOU (Time-of-Check to Time-of-Use) vulnerability in the sanitization pipeline:

1. Check phase: The code checks whether the filename begins with a . (dot-prefix check) — the check passes if no leading dot is found
2. Sanitization phase: A subsequent sanitization step strips invisible Unicode characters, including zero-width spaces (U+200B)
3. TOCTOU gap: If an attacker crafts a filename like ​.htaccess (zero-width space before the dot), the dot-prefix check sees no leading dot and passes the file, then sanitization strips the invisible character — leaving the filename as .htaccess written to disk
4. Execution: Apache reads the now-present .htaccess file containing attacker-controlled directives, enabling remote command execution

Zero-Click Escalation

CVE-2026-27636 required an authenticated user to upload the malicious file. CVE-2026-28289 eliminates this constraint entirely:

• FreeScout processes incoming emails automatically, including their attachments
• An attacker can construct a malicious email with a ​.htaccess attachment and send it to any mailbox configured in FreeScout
• FreeScout's mail processing pipeline parses the attachment and attempts to save it, triggering the TOCTOU bypass
• The .htaccess file is written to disk without any authentication or user interaction
• Apache reads the malicious .htaccess and executes attacker-controlled commands — achieving full server compromise

Affected Configuration

The attack requires FreeScout running on Apache with AllowOverride All enabled in the server configuration — a setting that permits .htaccess files to override Apache directives. This is described as a common configuration for FreeScout deployments, particularly those following official setup documentation.

Affected Versions and Patch

Organizations running FreeScout 1.8.206 or earlier on Apache with AllowOverride All should treat this as a critical emergency patch given the zero-click, unauthenticated nature of exploitation.

Current Threat Status

As of the time of disclosure, no active exploitation of CVE-2026-28289 has been observed in the wild. However, given:

• The CVSS 10.0 severity and zero-click nature of the flaw
• The trivial exploitation path — send an email, own the server
• The public disclosure of the vulnerability mechanics
• FreeScout's use by thousands of organizations globally as a self-hosted helpdesk solution

The window before weaponization is likely very short. Organizations should patch immediately.

Recommendations

Immediate Actions

1. Upgrade to FreeScout 1.8.207 — the only complete remediation; do not delay
2. Audit Apache configuration — if AllowOverride All is set, consider switching to AllowOverride None or a minimal allowlist as a defense-in-depth measure pending upgrade
3. Review recent email attachments saved to disk — check for unexpected .htaccess or similarly named files in FreeScout's attachment directories
4. Scan for indicators of compromise — check Apache access logs for unusual requests consistent with .htaccess-enabled code execution (e.g., unexpected PHP execution, unusual response patterns)

For Security Teams

1. Prioritize patching internet-exposed FreeScout instances — these are directly exploitable via the public internet with no preconditions
2. Enable Web Application Firewall (WAF) rules targeting file upload abuse as a temporary mitigation measure while patching is scheduled
3. Monitor outbound traffic from FreeScout servers — a compromised server may beacon to attacker infrastructure; unusual outbound connections are an IOC
4. Check for webshell artifacts — look for newly created PHP files or modified .htaccess files in FreeScout's web root and attachment directories

Configuration Hardening (Longer Term)

1. Restrict AllowOverride — limit Apache's AllowOverride directive to only what FreeScout requires; avoid All where possible
2. Run FreeScout as a non-root user with minimal filesystem permissions to limit blast radius if RCE is achieved
3. Implement file integrity monitoring on FreeScout directories — detect unauthorized .htaccess creation in near-real-time

Key Takeaways

1. CVSS 10 zero-click RCE via email — Mail2Shell requires no user interaction, no credentials, and no network access beyond being able to send email to the target; this is a worst-case vulnerability profile
2. Patch bypasses are a growing problem — CVE-2026-28289 demonstrates that a patch fixing one authentication requirement can leave an invisible bypass vector; thorough patch validation is essential
3. TOCTOU bugs in sanitization pipelines are insidious — the zero-width space technique exploits the ordering of security checks; developers must ensure sanitization occurs before, not after, security validation
4. Self-hosted open-source platforms carry patch risk — unlike SaaS solutions, self-hosted tools like FreeScout depend entirely on operators to apply updates; this creates extended exposure windows in the wild
5. Zero active exploitation — but only for now — the trivial exploitation path means weaponization is likely imminent; treat this as a critical emergency, not a routine patch cycle item
6. Apache AllowOverride All is a significant amplifier — this common configuration turns a file upload vulnerability into arbitrary code execution; minimizing AllowOverride scope is a meaningful defense-in-depth measure

Sources

• Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers — BleepingComputer
• Mail2Shell: FreeScout Patch Bypass Escalates to Zero-Click RCE (CVE-2026-28289) — OX Security
• Critical FreeScout Vulnerability Leads to Full Server Compromise — SecurityWeek
• FreeScout RCE: CVE-2026-28289 Patch Bypass via TOCTOU Flaw — TheHackerWire
• FreeScout 1.8.206 Security Advisory — GitHub (GHSA-5gpc-65p8-ffwp)

Related Reading

• CVE-2026-28775: Unauthenticated Root RCE in IDC SFX
• CISA Adds Actively Exploited VMware Aria Operations RCE
• Apache Struts Critical RCE via OGNL Injection Returns