Description
This module exploits an unauthenticated remote code execution vulnerability in FreeScout <= 1.8.206 (CVE-2026-28289). The sanitizeUploadedFileName() function checks for dot-prefixed filenames before stripping Unicode format characters (ZWSP U+200B), allowing .htaccess upload via email attachment.
A crafted email is sent via SMTP to a FreeScout mailbox. When fetched by the IMAP/POP3 cron (typically every 60s), the ZWSP is stripped and the attachment is stored as .htaccess. The file uses SetHandler to make itself executable as PHP, achieving code execution when requested via HTTP.
Requires a valid mailbox email address and web-accessible attachment storage (storage:link pointing to storage/app/).
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/freescout_htaccess_rcemsf undefined(freescout_htaccess_rce) > show actions ...actions...msf undefined(freescout_htaccess_rce) > set ACTION < action-name >msf undefined(freescout_htaccess_rce) > show options ...show and set options...msf undefined(freescout_htaccess_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub