CVE-2026-26333
Unauthenticated .NET Remoting RCE in Calero VeraSMART
Publication date: 2026-02-13
Last updated on: 2026-02-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calero | verasmart | to 2022.0 (exc) |
| calero | verasmart | 2022.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26333 affects Calero VeraSMART versions prior to 2022 R1, where an unauthenticated .NET Remoting HTTP service is exposed on TCP port 8001.
This service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem and allows the use of SOAP and binary formatters with TypeFilterLevel set to Full.
An unauthenticated remote attacker can exploit these remoting endpoints to perform arbitrary file read and write operations via the WebClient class.
This enables the attacker to retrieve sensitive files like WebRoot\web.config, which may contain IIS machineKey validation and decryption keys.
Using these keys, the attacker can craft a malicious ASP.NET ViewState payload to achieve remote code execution (RCE) within the IIS application context.
Additionally, by supplying a UNC path, the attacker can trigger outbound SMB authentication attempts from the service account, potentially exposing NTLMv2 hashes that can be used for relay attacks or offline cracking.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to perform arbitrary file read and write operations on the affected system.
An attacker can retrieve sensitive configuration files, such as web.config, which may disclose critical cryptographic keys.
With these keys, the attacker can generate malicious payloads to execute arbitrary code remotely within the IIS application context, leading to full system compromise.
Furthermore, the attacker can trigger outbound SMB authentication attempts that may expose NTLMv2 hashes, which can be used for credential relay attacks or offline password cracking.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of an unauthenticated .NET Remoting HTTP service exposed on TCP port 8001.
You can scan your network or system to see if TCP port 8001 is open and accepting connections.
- Use a port scanning tool such as nmap: nmap -p 8001 <target-ip>
- Attempt to connect to the service and check for published ObjectURIs like EndeavorServer.rem or RemoteFileReceiver.rem.
- Use tools or scripts that can send SOAP or binary formatter requests to the exposed remoting endpoints to verify if arbitrary file read/write operations are possible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking access to TCP port 8001 to prevent unauthenticated remote access to the .NET Remoting HTTP service.
Upgrade Calero VeraSMART to version 2022 R1 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, consider disabling the .NET Remoting HTTP service or applying network-level controls such as firewall rules to limit access to trusted hosts only.
Monitor for unusual outbound SMB authentication attempts that could indicate exploitation attempts involving UNC paths.