module
FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass
| Disclosed | Created |
|---|---|
| Mar 1, 2026 | Mar 31, 2026 |
Disclosed
Mar 1, 2026
Created
Mar 31, 2026
Description
This module exploits an unauthenticated remote code execution vulnerability
in FreeScout function checks for dot-prefixed filenames before stripping Unicode format
characters (ZWSP U+200B), allowing .htaccess upload via email attachment.
A crafted email is sent via SMTP to a FreeScout mailbox. When fetched by
the IMAP/POP3 cron (typically every 60s), the ZWSP is stripped and the
attachment is stored as .htaccess. The file uses SetHandler to make itself
executable as PHP, achieving code execution when requested via HTTP.
Requires a valid mailbox email address and web-accessible attachment
storage (storage:link pointing to storage/app/).
in FreeScout function checks for dot-prefixed filenames before stripping Unicode format
characters (ZWSP U+200B), allowing .htaccess upload via email attachment.
A crafted email is sent via SMTP to a FreeScout mailbox. When fetched by
the IMAP/POP3 cron (typically every 60s), the ZWSP is stripped and the
attachment is stored as .htaccess. The file uses SetHandler to make itself
executable as PHP, achieving code execution when requested via HTTP.
Requires a valid mailbox email address and web-accessible attachment
storage (storage:link pointing to storage/app/).
Authors
offensiveee
Nir Zadok (nirzadokox) OX Security
Moses Bhardwaj (MosesOX) OX Security
Valentin Lobstein [email protected]
Nir Zadok (nirzadokox) OX Security
Moses Bhardwaj (MosesOX) OX Security
Valentin Lobstein [email protected]
Platform
Linux,PHP,Unix,Windows
Architectures
php, cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.