Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Hackers Hijack FreeScout Mail Servers

Researchers have uncovered a critical zero-click vulnerability in FreeScout, a widely used open-source help desk and shared mailbox application.

Dubbed “Mail2Shell,” this flaw allows attackers to hijack mail servers without any user interaction or authentication.

The vulnerability, tracked as CVE-2026-28289, bypasses a recently patched Remote Code Execution (RCE) flaw, escalating it into an unauthenticated zero-click attack.

The Zero-Click Escalation Path

Just days after FreeScout patched an authenticated RCE vulnerability (CVE-2026-27636), security analysts found a way to bypass the incomplete fix.

The original patch attempted to block dangerous file uploads by appending an underscore to files with restricted extensions or names starting with a period.

Attack Graph (source: OX. Security)

However, attackers can easily bypass this validation by prepending a Zero-Width Space character (Unicode U+200B) to the malicious filename.

Blocked risky uploads via underscores (source: OX. Security)

Because the system does not treat this hidden character as visible content during the initial security check, the file slips past the filter.

Later in the processing chain, the server strips the U+200B character, leaving the payload as a dangerous dotfile.

To exploit this, an attacker sends a crafted email containing the malicious payload to any address connected to the FreeScout server.

The system automatically writes the file to disk in a predictable directory (/storage/attachment/…).

The hacker can then navigate to the payload via the web interface and execute remote commands instantly. This entire chain requires absolutely no authentication and no interaction from the victim.

FreeScout is heavily utilized by public health institutions, financial platforms, and technology providers to manage customer support.

Built on the Laravel PHP framework, FreeScout has over 1,100 publicly exposed instances, making it a highly lucrative target for threat actors.

Bypass confirmed, escalating to unauthenticated RCE(source :OX. Security)

According to OX Security researchers, if exploited, the Mail2Shell vulnerability can lead to complete server takeover.

Hackers can exfiltrate sensitive helpdesk tickets, steal customer inbox data, and use the compromised host to move laterally across the organization’s network.

Payload accessed, enabling remote server commands(source : OX. Security)

The FreeScout maintainers responded quickly by releasing version 1.8.207 to close the variant attack path.

Administrators must apply this update immediately, as an older patch does not protect against this zero-click escalation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.