Overview
- Researchers at OX Security found that prepending a zero‑width space (U+200B) bypasses FreeScout’s dotfile checks, creating a Time‑of‑Check to Time‑of‑Use gap that enables malicious .htaccess uploads.
- An attacker can achieve remote code execution by sending a single crafted email to any address configured in FreeScout, with attachments saved to a predictable /storage/attachment/ path accessible through the web interface.
- The vulnerability affects all versions up to and including 1.8.206, particularly on Apache setups with AllowOverride All enabled, and is patched in FreeScout 1.8.207.
- OX Research recommends disabling AllowOverride All in Apache as a defense‑in‑depth measure even after updating to the fixed release.
- Shodan scans identified roughly 1,100 publicly exposed FreeScout instances; no in‑the‑wild exploitation was reported at publication, but the risk of full compromise and lateral movement is high.