FreeScout Arbitrary File Write via Crafted ZIP Upload (CVE-2026-41193)
FreeScout versions prior to 1.8.215 are vulnerable to arbitrary file write via a crafted ZIP archive uploaded by an authenticated administrator due to insufficient file path validation during module installation.
FreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a critical vulnerability (CVE-2026-41193) affecting versions prior to 1.8.215. This flaw resides in the module installation feature, where ZIP archives are extracted without proper validation of file paths. An authenticated administrator can exploit this vulnerability by uploading a specially crafted ZIP archive, leading to arbitrary file write operations on the server filesystem. The vendor patched this vulnerability in version 1.8.215. Successful exploitation allows an attacker to achieve code execution on the targeted server, potentially leading to full system compromise.
Attack Chain
- An attacker gains valid administrator credentials to the FreeScout platform.
- The attacker navigates to the module installation section within the FreeScout admin panel.
- The attacker crafts a malicious ZIP archive containing files with manipulated paths (e.g., using "../" sequences) designed to write outside the intended directory.
- The attacker uploads the crafted ZIP archive through the module installation feature.
- The FreeScout application extracts the contents of the ZIP archive without proper validation of the file paths.
- The malicious files are written to arbitrary locations on the server's filesystem, as specified by the manipulated paths in the ZIP archive.
- The attacker leverages the written files to execute arbitrary code, potentially overwriting system files or placing malicious scripts in web-accessible directories.
- The attacker achieves persistent access and control over the FreeScout server.
Impact
Successful exploitation of CVE-2026-41193 allows a malicious actor with administrative access to write arbitrary files to the FreeScout server's filesystem. This can lead to arbitrary code execution, complete compromise of the server, data theft, and disruption of help desk services. Given the potential for full system takeover, this vulnerability poses a critical risk to organizations using affected FreeScout versions.
Recommendation
- Upgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41193 (reference: Overview).
- Deploy the Sigma rule "FreeScout Suspicious ZIP Upload" to detect potentially malicious ZIP uploads to the FreeScout server (reference: rules).
- Monitor web server logs for unusual file creation events in sensitive directories after ZIP archive extractions (reference: rules, logsource).
- Implement strict access control policies to limit the number of users with administrative privileges in FreeScout.
Detection coverage 2
FreeScout Suspicious ZIP Upload
highDetects suspicious ZIP archive uploads to FreeScout, potentially exploiting CVE-2026-41193. This rule looks for POST requests to common FreeScout module installation paths with ZIP content.
FreeScout File Creation in Web Root
mediumDetects file creation events in the FreeScout web root directory which could indicate a successful exploit of CVE-2026-41193.
Detection queries are available on the platform. Get full rules →