FreeScout, built on PHP and Laravel, is vulnerable to authenticated RCE via configuration overwrite. OX Security has created a full exploit PoC (CVE-2026-27636).
Urgent Security Alert
A new CVE has been disclosed in FreeScout, a free, self-hosted helpdesk and shared inbox built in PHP on the Laravel framework. Organizations running publicly accessible FreeScout instances should assume elevated risk until they’ve patched and hardened the server configuration.
Overview
FreeScout is a popular open-source help desk and shared mailbox application. Built on the PHP Laravel framework, it lets organizations manage customer support tickets and team inboxes without subscription fees or third-party hosting.
FreeScout has 4K+ GitHub stars and ~670 publicly exposed instances identified via Shodan. Laravel is even more widely adopted, with 83K+ GitHub stars and ~13K publicly exposed servers identified via Shodan.
Who is affected
- Directly affected: Any organization running a publicly accessible FreeScout server.
- Lower (but real) risk: FreeScout deployed internally (not exposed to the internet) — still potentially exploitable through lateral movement if an attacker gains a foothold on the same network.
Impact
If exploited, this vulnerability could enable:
- Full server/system takeover
- Data exfiltration of helpdesk tickets, mailbox content, and other sensitive support/inbox data stored in FreeScout
- Lateral movement from the FreeScout host to other systems in the same network
Recommended actions
Immediate actions:
- Update FreeScout to v1.8.206 or later.
- On the FreeScout server, disable AllowOverrideAll in the Apache configuration.
- Restrict public access to the FreeScout server (block unnecessary exposure; limit by IP/VPN where possible).
Technical Analysis & Exploit POC
Exploit PoC Walkthrough
An attacker can compromise a vulnerable FreeScout server by creating a new email in the UI and uploading two files as attachments. Notably, the attachments are written to the FreeScout filesystem immediately, even before the email is sent. By using this behavior to overwrite the .htaccess file, an attacker can enable remote command execution.
In our proof-of-concept, we uploaded two files: .htaccess and webshell.txt. The .htaccess file is configured to treat webshell.txt as executable code. The attacker can then access https://<FreeScout>/…/webshell.txt?cmd=<COMMAND> and execute arbitrary commands on the server.
“.htaccess” containing the configuration to treat .txt files as runnable PHP files
“webshell.txt” containing the PHP execution code to run commands on the backend
Reviewing the patch, we see that the initial mitigation approach was a targeted blacklist: the developers added .htaccess and user.ini to the upload filename blacklist, so any attempt to upload a file that could overwrite those configurations would fail.
The problem with a blacklist is durability. It only protects the specific filenames you anticipate. If additional sensitive configuration files exist (or are added later), the list must be updated – and that maintenance gap is exactly where new bypasses and regressions tend to appear.
In the final fix, the developers shifted to a more general rule: block any attempt to write files whose names start with . (dotfiles), which are commonly used for hidden configuration and control files on Unix-like systems. The patch enforces this with the following logic:
mb_substr($file_name, 0, 1) == ‘.’
This ensures that sensitive configuration files are always protected regardless of the filename and its configuration.
Source: https://github.com/freescout-help-desk/freescout/commit/00d45dc9546e8c8a47c8fea96515e630ed91a925
