Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers CVSS : 10.0 (Critical)

Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers CVSS : 10.0 (Critical)

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers CVSS : 10.0 (Critical)

Information:

   FreeScout is an open-source Help Desk and Shared Mailbox platform used to manage customer support emails and tickets within an organization. It is developed using PHP and MySQL and is designed to be installed on an organization’s own servers (self-hosted deployment). This allows organizations to have full control over their data and system infrastructure, but they are also responsible for system maintenance updates and security management. The platform enables multiple support staff members to receive requests, track issues, and respond to customers from a single centralized system.

Incident:

  Researchers from OX Security found that an attacker can send a single malicious email attachment to an email account connected to FreeScout. The system automatically downloads the attachment into the /storage/attachment/ folder.The attacker uses a technique of inserting an invisible character at the beginning of the filename to bypass security checks, allowing the hacker to perform Remote Code Execution (RCE) on the server without logging in or requiring the user to click or open anything. This enables the upload of a malicious .htaccess file, which can then execute code on the server.This vulnerability affects all FreeScout versions up to 1.8.206 and has been patched in version 1.8.207. If successfully exploited, an attacker could take full control of the server, steal data, use the server as a pivot for further attacks, and disrupt services. Although no widespread attacks have been reported so far, the vulnerability is highly severe and easy to exploit.

Recommendation:

  • Update FreeScout to version 1.8.207 or later
  • Disable AllowOverrideAll on Apache
  • Restrict access to the Attachment folder
  • Use a WAF and monitor logs regularly
  • Limit system access via VPN or IP allowlist

 The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References:

-https://www.scmagazine.com/news/mail2shell-freescout-patch-bypass-exploit-leads-to-rce

-https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/

-https://cybersecuritynews.com/hackers-hijack-freescout-mail-servers/

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2026-2441

13/02/2026

14/02/2026

Chrome versions prior to 145.0.7632.75 on Windows/Mac.

Use-After-Free

8.8

A use-after-free vulnerability in Google Chrome's CSS engine, which allows memory to be used after a dangling pointer is released, enables attackers to use specially crafted HTML pages to execute arbitrary code within a sandbox (remote code execution)—even in a sandbox environment, this could lead to more sophisticated attacks when combined with other vulnerabilities.

Windows / macOS: Chrome 145.0.7632.75 and 145.0.7632.76

https://app.opencve.io/cve/CVE-2026-2441

 

 
2

CVE-2025-7195

8/7/2025

16/02/2026

Operator-SDK versions prior to 0.15.2

Privilege Escalation

5.2

The Operator-SDK provides an insecure method to allow Operator containers to run in environments using random UIDs. Versions prior to 0.15.2 included a user_setup script that modified the /etc/passwd file permissions to 664 during image build. In affected images, the /etc/passwd file is created with group write permissions and the owner group is root (gid=0). An attacker capable of executing commands within the affected container, even as a non-root user, could exploit root group membership to modify the /etc/passwd file.

Update the Operator-SDK to version 0.15.2 or higher.

https://app.opencve.io/cve/CVE-2025-7195

 
3

CVE-2026-1841

13/02/2026

13/02/2026

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin is for WordPress versions prior to 11.2.0.

Cross-Site Scripting (XSS)

7.2

The PixelYourSite plugin version 11.2.0 and earlier has a vulnerability that allows two parameters (pysTrafficSource and pys_landing_page) to bypass input sanitization and avoid proper output evasion. This enables unauthenticated attackers to embed JavaScript code into web pages, which is then executed every time a page is visited.

Update to version 11.2.0.1 or later.

https://app.opencve.io/cve/CVE-2026-1841
 4

CVE-2026-24853

13/02/2026

13/02/2026

Caido before version 0.55.0

Access Control Bypass

8.1

Prior to version 0.55.0, Caido attempted to block domains not on the whitelist from connecting via port 8080, but this could be bypassed by inserting headers such as *X-Forwarded-Host: 127.0.0.1:8080*, allowing unauthorized attackers to access the protected endpoint.

Update Caido to version 0.55.0 or later.

https://app.opencve.io/cve/CVE-2026-24853

 
5

CVE-2026-1306

14/02/2026

14/02/2026

midi-Synth plugin for WordPress versions prior to 1.1.0.

Unrestricted File Upload

9.8

A vulnerability found in the **midi-Synth Plugin for WordPress** arises from the plugin's failure to properly check file types and extensions in the AJAX function named `export`. This allows attackers to upload any file to the affected website's server without prior login and could lead to remote code execution under certain conditions (e.g., the attacker could obtain a nonce value displayed in front-end JavaScript).

There is no patch update yet.

https://app.opencve.io/cve/CVE-2026-1306

 

 

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket​

28/02/2026​

Credential Brute-force Attack, Remote Code Execution, malicious website​

The vulnerability called ClawJacked was discovered in the OpenClaw AI agent. The weakness lies in the gateway, which exposes a WebSocket interface on localhost, allowing malicious websites to attempt brute-forcing the password directly from the browser. Once successful, attackers gain administrator-level control, enabling them to issue commands on behalf of the user or steal sensitive data. This risk affects individual users, developers, and organizations relying on OpenClaw for automation, as it can lead to data leaks and remote system takeover. The flaw was identified by Oasis Security and has already been patched in version 2026.2.26, released on February 26, 2026. Updating immediately is crucial to prevent exploitation, since leaving the system unpatched could allow attackers to use this vulnerability as a stepping stone to infiltrate other systems within an organization. Such attacks not only compromise individual users but also pose broader threats to organizational infrastructure and overall security, especially for enterprises that depend heavily on OpenClaw for automated operations.​
  • Install the patched version (2026.2.26) to close the vulnerability and reduce the risk of exploitation.​
  • Use strong, complex passwords and enable multi-factor authentication (MFA) to minimize brute-force attempts.​
  • Configure access so that only necessary users can reach the gateway and apply firewall rules or network segmentation to block unwanted connections.​

Ref: https://www.scworld.com/brief/fake-7-zip-website-distributes-trojanized-installer-turns-pcs-into-proxy-nodes

12 March 2026

Viewed 125 time

Engine by shopup.com