CVE-2026-26335
Unknown Unknown - Not Provided
Static MachineKey in VeraSMART Enables Remote Code Execution

Publication date: 2026-02-13

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
Calero VeraSMART versions prior toΒ 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26335
EUVD
EUVD-2026-7363
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
calero verasmart to 2022.0 (exc)
calero verasmart 2022.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-26335 affects Calero VeraSMART versions prior to 2022 R1, where static ASP.NET/IIS machineKey values are hard-coded and configured in the web.config file. An attacker who obtains these static machine keys can craft a valid ASP.NET ViewState payload that passes integrity validation.

This crafted payload is accepted by the application, resulting in server-side deserialization and remote code execution within the IIS application context.


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker to execute arbitrary code on the server running the VeraSMART application without any user interaction or privileges.

This can lead to full compromise of the IIS application environment, potentially exposing sensitive data, disrupting services, or allowing further attacks within the network.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of static ASP.NET/IIS machineKey values in the VeraSMART web application's configuration file."}, {'type': 'paragraph', 'content': 'Specifically, inspect the web.config file located at C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config for hard-coded machineKey values.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include using PowerShell or command line tools to search for the machineKey setting within the web.config file.'}, {'type': 'list_item', 'content': "PowerShell: Get-Content 'C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config' | Select-String -Pattern 'machineKey'"}, {'type': 'list_item', 'content': 'Command Prompt: findstr /i "machineKey" "C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config"'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves replacing the static machineKey values in the web.config file with dynamically generated, unique keys to prevent attackers from crafting valid ViewState payloads.

Updating Calero VeraSMART to version 2022 R1 or later, where this issue is resolved, is strongly recommended.

Additionally, restrict access to the web.config file to prevent unauthorized users from obtaining the machineKey values.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart