CVE-2026-26333

UNKNOWN 0.0

Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

CWE	CWE-306 CWE-502
Vendor	calero
Product	verasmart
Published	Feb 13, 2026
Last Updated	Feb 18, 2026

Stay Ahead of the Next One

Get instant alerts for calero verasmart

Be the first to know when new unknown vulnerabilities affecting calero verasmart are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Calero / VeraSMART

0 < 2022 R1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

calero.com: https://www.calero.com/ vulncheck.com: https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp. Jan A. Rodriguez, Pentester Jr., GM Sectec, Corp.