Critical Zero-Click Flaw Lets Hackers Hijack FreeScout Mail Servers

"Mail2Shell" zero-click flaw in FreeScout risks server hijacks. Update now to protect against unauthorized data access.

By Content Team

Mar 5, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Security researchers discovered a critical zero-click vulnerability called "Mail2Shell" in FreeScout, a popular open-source help desk application. The flaw (CVE-2026-28289) allows attackers to completely hijack mail servers without any user interaction or authentication.

The attack exploits a bypass in a recent security patch by using a hidden Unicode character (Zero-Width Space) in malicious email attachments. When FreeScout processes these crafted emails, the hidden character slips past security filters but gets stripped later, leaving dangerous files on the server.

With over 1,100 publicly exposed FreeScout instances used by healthcare, finance, and tech companies, this vulnerability poses serious risks. Successful attacks can lead to complete server takeover, data theft, and network infiltration. FreeScout released version 1.8.207 to fix the issue - administrators must update immediately.

Source: Cyber Security News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Hackers Selling $220,000 Windows Zero-Day Exploit on Dark Web

Mar 9, 2026

OpenAI Hit by North Korean Supply Chain Attack Through Popular JavaScript Library

Apr 13, 2026

Tennessee Man Pleads Guilty to Hacking Supreme Court Filing System 25 Times

Jan 18, 2026

FortiGate Firewalls Under Automated Attack Since January 15

Jan 26, 2026