CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Zero-Click RCE Vulnerability in FreeScout Helpdesk Platform

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

Timeline

  1. 04.03.2026 23:51 2 articles · 1d ago

    Critical Zero-Click RCE Vulnerability in FreeScout Helpdesk Platform

    A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Metro4Shell RCE Flaw Exploited in React Native CLI npm Package

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package. First observed on December 21, 2025, the vulnerability allows unauthenticated attackers to execute arbitrary OS commands. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks originate from multiple IP addresses and indicate operational use rather than experimental probing.

Open in new tab

Critical sandbox escape flaw in vm2 NodeJS library

A critical-severity vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox library allows escaping the sandbox and executing arbitrary code on the host system. The flaw arises from improper sanitization of Promises, enabling attackers to bypass sandbox restrictions. The vulnerability affects versions prior to 3.10.2 and has been partially addressed in subsequent updates. The vm2 library, widely used in SaaS platforms and open-source projects, was discontinued in 2023 due to repeated sandbox-escape vulnerabilities but was resurrected in 2025. The vulnerability is trivial to exploit, and users are advised to upgrade to the latest version (3.10.3) to mitigate the risk. The vulnerability carries a CVSS score of 9.8 out of 10.0, highlighting its criticality. The maintainer has acknowledged that new bypasses will likely be discovered in the future, urging users to keep the library up to date and consider alternatives like isolated-vm for stronger isolation guarantees.

Open in new tab

Active Exploitation of Gogs Zero-Day Vulnerability

A high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a self-hosted Git service, is being actively exploited across over 700 internet-accessible instances. The flaw allows arbitrary code execution by bypassing a previously patched remote code execution vulnerability (CVE-2024-55947). The attacks involve deploying malware based on the Supershell C2 framework, linked to Chinese hacking groups. The vulnerability stems from a path traversal weakness in the PutContents API, enabling attackers to overwrite sensitive files and execute arbitrary commands. The attacks appear to be part of a 'smash-and-grab' campaign, with repositories left behind on compromised systems. As of now, there is no patch available for CVE-2025-8110, and users are advised to disable open registration, limit internet exposure, and scan for suspicious repositories. CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) catalog, and Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by February 2, 2026. A second wave of attacks was observed on November 1, 2025, and the malware communicates with a command-and-control server at 119.45.176[.]196.

Open in new tab

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability is being actively exploited in the wild, with attacks observed on December 21, 2025, January 4, 2026, and January 21, 2026. The attacks involve delivering base-64 encoded PowerShell payloads hidden in the HTTP POST body of malicious requests. The payloads disable endpoint protections, establish a raw TCP connection to attacker-controlled infrastructure, write data to disk, and execute the downloaded binary. Approximately 3,500 exposed React Native Metro servers are still online, according to scans using the ZoomEye search engine. Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS). The vulnerability affects Windows, Linux, and macOS systems, with varying levels of control over executed commands. The flaw was discovered by researchers at JFrog and disclosed in early November 2025. The vulnerability is dubbed Metro4Shell by VulnCheck. The Windows payload is a Rust-based UPX-packed binary with basic anti-analysis logic, and the same attacker infrastructure hosts corresponding Linux binaries, indicating cross-platform targeting.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The *SANDWORM_MODE* campaign, a new iteration of the Shai-Hulud supply chain worm, has expanded its attack surface by leveraging 19 malicious npm packages (e.g., `claud-code`, `crypto-locale`, `secp256`) to harvest credentials, cryptocurrency keys, and API tokens. Published under aliases *official334* and *javaorg*, the malware retains Shai-Hulud’s self-propagating capabilities while introducing novel techniques: **GitHub API exfiltration with DNS fallback**, **hook-based persistence**, **SSH propagation**, and **MCP server injection** targeting AI coding assistants (Claude Code, VS Code Continue, etc.). The attack also targets **LLM API keys** (Anthropic, OpenAI, Mistral, etc.) and includes a **polymorphic engine** (currently inactive) for evasion via Ollama/DeepSeek Coder. A two-stage payload delays deeper harvesting (password managers, worm propagation) for 48+ hours, with a destructive wiper routine as a fallback. This follows the *Sha1-Hulud* wave (November–December 2025), which exposed **400,000 secrets** across **30,000 GitHub repositories** via **800+ trojanized npm packages**, and the *PackageGate* vulnerabilities (January 2026) that bypassed npm’s `--ignore-scripts` defenses. Concurrently, unrelated but similarly severe threats include the `buildrunner-dev` and `eslint-verify-plugin` packages deploying **Pulsar RAT/Mythic C2 agents**, and a fake VS Code Solidity extension (`solid281`) dropping **ScreenConnect or reverse shells**. Researchers warn of escalating risks to developer environments, CI/CD pipelines, and AI-assisted coding tools, urging **immediate credential rotation**, **dependency audits**, and **hardened access controls**.

Open in new tab