{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zip-upload/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-41193"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeScout"],"_cs_severities":["critical"],"_cs_tags":["freescout","file-write","cve-2026-41193","zip-upload"],"_cs_type":"advisory","_cs_vendors":["FreeScout"],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a critical vulnerability (CVE-2026-41193) affecting versions prior to 1.8.215. This flaw resides in the module installation feature, where ZIP archives are extracted without proper validation of file paths. An authenticated administrator can exploit this vulnerability by uploading a specially crafted ZIP archive, leading to arbitrary file write operations on the server filesystem. The vendor patched this vulnerability in version 1.8.215. Successful exploitation allows an attacker to achieve code execution on the targeted server, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid administrator credentials to the FreeScout platform.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the module installation section within the FreeScout admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing files with manipulated paths (e.g., using \u0026quot;../\u0026quot; sequences) designed to write outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive through the module installation feature.\u003c/li\u003e\n\u003cli\u003eThe FreeScout application extracts the contents of the ZIP archive without proper validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe malicious files are written to arbitrary locations on the server's filesystem, as specified by the manipulated paths in the ZIP archive.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the written files to execute arbitrary code, potentially overwriting system files or placing malicious scripts in web-accessible directories.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access and control over the FreeScout server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41193 allows a malicious actor with administrative access to write arbitrary files to the FreeScout server's filesystem. This can lead to arbitrary code execution, complete compromise of the server, data theft, and disruption of help desk services. Given the potential for full system takeover, this vulnerability poses a critical risk to organizations using affected FreeScout versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41193 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;FreeScout Suspicious ZIP Upload\u0026quot; to detect potentially malicious ZIP uploads to the FreeScout server (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file creation events in sensitive directories after ZIP archive extractions (reference: rules, logsource).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the number of users with administrative privileges in FreeScout.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/","summary":"FreeScout versions prior to 1.8.215 are vulnerable to arbitrary file write via a crafted ZIP archive uploaded by an authenticated administrator due to insufficient file path validation during module installation.","title":"FreeScout Arbitrary File Write via Crafted ZIP Upload (CVE-2026-41193)","url":"https://feed.craftedsignal.io/briefs/2024-01-freescout-cve-2026-41193/"}],"language":"en","title":"CraftedSignal Threat Feed - Zip-Upload","version":"https://jsonfeed.org/version/1.1"}