Mail2Shell Zero-Click Attack Lets Hackers Hijack FreeScout Mail Servers

FreeScout has become a popular self‑hosted alternative to commercial ticketing systems, powering thousands of support inboxes worldwide. Its open‑source nature and ease of deployment have driven rapid adoption, but also increased exposure to threat actors scanning for vulnerable instances. The discovery of CVE‑2026‑28289 underscores how even well‑intentioned security patches can be subverted when input sanitization overlooks obscure Unicode characters, turning a routine email into a weapon without any user interaction.

The technical chain begins with a crafted email attachment whose filename is prefixed by a zero‑width space (U+200B). This invisible character slips past the filename filter that blocks dotfiles and restricted extensions, allowing the malicious file to be stored in the server's /storage/attachment directory. Once saved, the file can be accessed via the web interface, enabling the attacker to execute arbitrary commands and achieve full server compromise. The exploit also re‑activates the earlier CVE‑2026‑27636 vulnerability, demonstrating how layered flaws can compound risk when mitigations are incomplete.

For administrators, the immediate steps are clear: upgrade to FreeScout 1.8.207, disable Apache’s AllowOverrideAll directive, and audit all exposed instances for signs of compromise. Beyond the specific fix, the incident highlights the broader challenge of securing open‑source infrastructure—continuous code review, robust input validation, and rapid patch distribution are essential. Organizations should integrate vulnerability scanning tools that detect hidden Unicode exploits and maintain an incident response plan for zero‑click threats, ensuring resilience against evolving attack techniques.