CVE-2026-26333
Unknown Unknown - Not Provided
Unauthenticated .NET Remoting RCE in Calero VeraSMART

Publication date: 2026-02-13

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26333
EUVD
EUVD-2026-7365
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
calero verasmart to 2022.0 (exc)
calero verasmart 2022.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26333 affects Calero VeraSMART versions prior to 2022 R1, where an unauthenticated .NET Remoting HTTP service is exposed on TCP port 8001.

This service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem and allows the use of SOAP and binary formatters with TypeFilterLevel set to Full.

An unauthenticated remote attacker can exploit these remoting endpoints to perform arbitrary file read and write operations via the WebClient class.

This enables the attacker to retrieve sensitive files like WebRoot\web.config, which may contain IIS machineKey validation and decryption keys.

Using these keys, the attacker can craft a malicious ASP.NET ViewState payload to achieve remote code execution (RCE) within the IIS application context.

Additionally, by supplying a UNC path, the attacker can trigger outbound SMB authentication attempts from the service account, potentially exposing NTLMv2 hashes that can be used for relay attacks or offline cracking.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to perform arbitrary file read and write operations on the affected system.

An attacker can retrieve sensitive configuration files, such as web.config, which may disclose critical cryptographic keys.

With these keys, the attacker can generate malicious payloads to execute arbitrary code remotely within the IIS application context, leading to full system compromise.

Furthermore, the attacker can trigger outbound SMB authentication attempts that may expose NTLMv2 hashes, which can be used for credential relay attacks or offline password cracking.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking for the presence of an unauthenticated .NET Remoting HTTP service exposed on TCP port 8001.

You can scan your network or system to see if TCP port 8001 is open and accepting connections.

  • Use a port scanning tool such as nmap: nmap -p 8001 <target-ip>
  • Attempt to connect to the service and check for published ObjectURIs like EndeavorServer.rem or RemoteFileReceiver.rem.
  • Use tools or scripts that can send SOAP or binary formatter requests to the exposed remoting endpoints to verify if arbitrary file read/write operations are possible.
Mitigation Strategies

Immediate mitigation steps include restricting or blocking access to TCP port 8001 to prevent unauthenticated remote access to the .NET Remoting HTTP service.

Upgrade Calero VeraSMART to version 2022 R1 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, consider disabling the .NET Remoting HTTP service or applying network-level controls such as firewall rules to limit access to trusted hosts only.

Monitor for unusual outbound SMB authentication attempts that could indicate exploitation attempts involving UNC paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26333. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart