A new cybersecurity vulnerability called Mail2Shell has been discovered in FreeScout, a popular open-source helpdesk platform used by organizations to manage customer support emails. Security researchers revealed that attackers can exploit this flaw to take control of vulnerable servers. The attack works by sending a specially crafted email to the system. Because of this, even organizations that simply receive emails can become targets.

Diagram showing how a malicious email leads to shell access on a FreeScout server in the Mail2Shell attack

FreeScout is widely used by companies as a self-hosted helpdesk and shared mailbox solution. It allows support teams to manage customer conversations, tickets, and internal communication from a single dashboard. The platform is built using the Laravel PHP framework and is considered a free alternative to paid helpdesk software. Due to its popularity, any security flaw in the system can affect many organizations.

The vulnerability has been assigned the identifier CVE-2026-28289 and is classified as critical. Researchers describe it as a zero-click attack, meaning it requires no interaction from users or administrators. An attacker only needs to send a malicious email to a FreeScout mailbox connected to the system. Once the email is processed by the server, the malicious payload can be executed automatically.

Hacker sending malicious email exploiting Mail2Shell vulnerability in FreeScout helpdesk servers

This new vulnerability is actually related to a previously discovered flaw identified as CVE-2026-27636. The earlier bug allowed authenticated users with upload permissions to execute malicious code on the server. Developers released a security patch to block dangerous file uploads. However, researchers later discovered a way to bypass that patch.

The bypass technique uses an invisible character called a zero-width space (Unicode U+200B). This character can be inserted inside a file name without being visible to the system checks. Because of this, the malicious file can pass the validation filters that were designed to block suspicious uploads. Later in processing, the invisible character disappears, allowing the file to be saved in a dangerous form.

Data breach warning representing the security risk caused by the Mail2Shell FreeScout vulnerability

Once stored on the server, the malicious upload can create hidden configuration files known as dotfiles. One example is the .htaccess file, which can change the behavior of the web server. Attackers can use this file to execute commands remotely on the system. This allows them to gain deeper access and potentially control the server.

Security experts warn that the impact of this vulnerability can be severe. Attackers who successfully exploit the flaw could gain full control of the FreeScout server. They may be able to access support tickets, read private customer communications, or steal sensitive organizational data. In some cases, the compromised server could also be used to attack other systems in the network.

Security patch update illustration showing protection against the Mail2Shell vulnerability in FreeScout

Researchers also discovered that more than 1,100 FreeScout servers are publicly exposed on the internet. These systems belong to organizations across different industries, including healthcare, technology, financial services, and media companies. To fix the issue, developers released a security update that patches the vulnerability. Organizations are strongly advised to upgrade to FreeScout version 1.8.207 or later to stay protected.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news