Critical FreeScout Bug Allows Zero-Click Server Takeover

Critical FreeScout vulnerability (CVE-2026-28289) allows zero-click server compromise; update to version 1.8.207 immediately.

By Content Team

Mar 5, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A critical vulnerability in FreeScout help desk software (CVE-2026-28289) lets attackers completely compromise servers without any user interaction. The flaw bypasses a recent security patch using an invisible zero-width space character in filenames, allowing hackers to upload malicious .htaccess files simply by sending an email to any FreeScout mailbox.

Rated 10/10 on the severity scale, this zero-click remote code execution attack affects all FreeScout 1.8.206 installations running on Apache servers. Successful exploitation gives attackers full server control, access to helpdesk tickets and emails, plus potential network access for further attacks. Users should immediately update to version 1.8.207.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Hundreds of Thousands Hit in Kensington and Chelsea Council Cyber Attack

Jan 15, 2026

Iranian Hackers Breach US Airport, Bank, and Defense Contractor Networks

Mar 6, 2026

ShinyHunters Cybercriminals Expand Cloud-Targeting Extortion Operations

Feb 2, 2026

Hackers Poison Trivy Scanner Tags to Steal Credentials from 10,000+ CI/CD Pipelines

Mar 22, 2026