CRITICAL🇵🇱 Wersja polska

CVE-2026-26333

CVSS 10.0v4.0pub. 2026-02-13upd. 2026-02-26

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

🤖 AI Analysis
How it works

The .NET Remoting service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) with the TypeFilterLevel parameter set to Full, allowing data deserialization using SOAP and binary formatters without any authentication. An attacker can invoke exposed endpoints and use the WebClient class to read server files, including WebRoot\web.config containing IIS machineKey validation and decryption keys. With knowledge of these keys, the attacker can generate a malicious ASP.NET ViewState payload and achieve RCE in the context of the IIS application. Additionally, providing a UNC path forces the service account to perform outbound SMB authentication, exposing the NTLMv2 hash to interception and relay attacks or offline cracking.

Impact

An unauthenticated remote attacker can achieve complete arbitrary code execution (RCE) in the context of the IIS application, read and write arbitrary files on the server, and intercept NTLMv2 hashes of the service account for further lateral movement in the network.

Mitigation & patch

Update Calero VeraSMART to version 2022 R1 or later. Until the patch is deployed, it is recommended to block access to TCP port 8001 on the firewall for unauthorized sources and restrict outbound SMB traffic from the service server to reduce the risk of NTLMv2 hash interception.

Who is affected

Calero VeraSMART in versions prior to 2022 R1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Calero Verasmart

    APP
    Calero
    2022.0< 2022.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-26335CRITICAL9.3PL ✓ten sam produkt

Calero VeraSMART: statyczne klucze machineKey umożliwiają RCE przez ViewState

CVE-2026-26334HIGH8.5ten sam produkt

Calero VeraSMART versions prior to 2026 R1 contain hardcoded static AES encryption keys within Veramark.Framew...