Mail2Shell: Critical Zero-Click Vulnerability Exposes FreeScout Mail Servers to Remote Hijacking
In a significant cybersecurity development, researchers have identified a critical zero-click vulnerability in FreeScout, an open-source help desk and shared mailbox application. This flaw, termed Mail2Shell, enables attackers to hijack mail servers without requiring user interaction or authentication.
Understanding the Mail2Shell Vulnerability
The vulnerability, designated as CVE-2026-28289, represents an escalation from a previously patched Remote Code Execution (RCE) flaw (CVE-2026-27636). The initial patch aimed to prevent dangerous file uploads by appending an underscore to files with restricted extensions or names beginning with a period. However, security analysts discovered that this fix could be circumvented by prepending a Zero-Width Space character (Unicode U+200B) to the malicious filename.
This subtle manipulation allows the file to bypass initial security checks, as the system does not recognize the hidden character during validation. Subsequently, the server processes the file, stripping the U+200B character and leaving the payload as a potentially harmful dotfile.
Exploitation Mechanism
To exploit this vulnerability, an attacker sends a crafted email containing the malicious payload to any address associated with the FreeScout server. The system automatically writes the file to disk in a predictable directory (/storage/attachment/…). The attacker can then access the payload via the web interface and execute remote commands instantly. This entire process requires no authentication or interaction from the victim, making it particularly insidious.
Potential Impact
FreeScout is widely used by public health institutions, financial platforms, and technology providers to manage customer support. Built on the Laravel PHP framework, FreeScout has over 1,100 publicly exposed instances, making it an attractive target for threat actors.
If exploited, the Mail2Shell vulnerability can lead to complete server takeover. Attackers can exfiltrate sensitive helpdesk tickets, steal customer inbox data, and use the compromised host to move laterally across the organization’s network.
Immediate Mitigation Measures
In response to this critical vulnerability, FreeScout maintainers have released version 1.8.207 to address the issue. Administrators are strongly urged to apply this update immediately, as the previous patch does not protect against this zero-click escalation.
Conclusion
The discovery of the Mail2Shell vulnerability underscores the importance of continuous vigilance and prompt patching in cybersecurity. Organizations using FreeScout should prioritize updating their systems to mitigate potential risks associated with this flaw.
