A critical vulnerability in FreeScout help desk software (CVE-2026-28289) lets attackers completely compromise servers without any user interaction. The flaw bypasses a recent security patch using an invisible zero-width space character in filenames, allowing hackers to upload malicious .htaccess files simply by sending an email to any FreeScout mailbox.
Rated 10/10 on the severity scale, this zero-click remote code execution attack affects all FreeScout 1.8.206 installations running on Apache servers. Successful exploitation gives attackers full server control, access to helpdesk tickets and emails, plus potential network access for further attacks. Users should immediately update to version 1.8.207.
Source: Security Week