CVE-2026-26335
Unknown Unknown - Not Provided
Static MachineKey in VeraSMART Enables Remote Code Execution

Publication date: 2026-02-13

Last updated on: 2026-02-26

Assigner: VulnCheck

Description
Calero VeraSMART versions prior toΒ 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26335
EUVD
EUVD-2026-7363
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
calero verasmart to 2022.0 (exc)
calero verasmart 2022.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26335 affects Calero VeraSMART versions prior to 2022 R1, where static ASP.NET/IIS machineKey values are hard-coded and configured in the web.config file. An attacker who obtains these static machine keys can craft a valid ASP.NET ViewState payload that passes integrity validation.

This crafted payload is accepted by the application, resulting in server-side deserialization and remote code execution within the IIS application context.

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary code on the server running the VeraSMART application without any user interaction or privileges.

This can lead to full compromise of the IIS application environment, potentially exposing sensitive data, disrupting services, or allowing further attacks within the network.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of static ASP.NET/IIS machineKey values in the VeraSMART web application's configuration file."}, {'type': 'paragraph', 'content': 'Specifically, inspect the web.config file located at C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config for hard-coded machineKey values.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include using PowerShell or command line tools to search for the machineKey setting within the web.config file.'}, {'type': 'list_item', 'content': "PowerShell: Get-Content 'C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config' | Select-String -Pattern 'machineKey'"}, {'type': 'list_item', 'content': 'Command Prompt: findstr /i "machineKey" "C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config"'}] [1]

Mitigation Strategies

Immediate mitigation involves replacing the static machineKey values in the web.config file with dynamically generated, unique keys to prevent attackers from crafting valid ViewState payloads.

Updating Calero VeraSMART to version 2022 R1 or later, where this issue is resolved, is strongly recommended.

Additionally, restrict access to the web.config file to prevent unauthorized users from obtaining the machineKey values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart