SECURITY researchers are urging FreeScout customers to patch a maximum-severity remote code execution vulnerability that requires no user interaction to achieve full system compromise.
According to Ox Security, CVE‑2026‑28289 (Mail2Shell) bypasses an earlier vulnerability (CVE-2026-27636) in FreeScout, enabling authenticated attackers to hijack targeted systems; they claim they converted the bypass into a zero‑click RCE, allowing code execution on the server by sending a crafted email to any address configured in FreeScout.
Ox Security said thousands of FreeScout customers may be at risk, noting the project has over 4000 GitHub stars and around 1100 publicly exposed instances identified via Shodan, while highlighting the broader PHP-based Laravel framework, which has over 83,000 GitHub stars and around 13,000 publicly exposed servers. The vendor urged users to upgrade immediately to v1.8.207 or later and to disable AllowOverrideAll in the Apache configuration on the FreeScout server, even on the latest version, to mitigate the threat.