CVE-2026-26333
Published: 13 February 2026
Description
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to…
more
Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the flaw through upgrading Calero VeraSMART to 2022 R1 or later, eliminating the vulnerable .NET Remoting service exposure.
Prohibits unauthenticated actions like arbitrary file read/write via exposed remoting endpoints, addressing CWE-306 missing authentication for critical functions.
Restricts network access to TCP port 8001 at managed interfaces, blocking unauthenticated remote attackers from reaching the vulnerable .NET Remoting service.
Security SummaryAI
CVE-2026-26333 affects Calero VeraSMART versions prior to 2022 R1, which expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem, and it permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. This configuration enables an unauthenticated remote attacker to invoke the exposed remoting endpoints and perform arbitrary file read and write operations via the WebClient class. The vulnerability is associated with CWE-306 (Missing Authentication for Critical Function) and CWE-502 (Deserialization of Untrusted Data), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By invoking the remoting endpoints, the attacker can retrieve sensitive files such as WebRoot\web.config, potentially disclosing IIS machineKey validation and decryption keys. These keys allow the generation of a malicious ASP.NET ViewState payload, leading to remote code execution within the IIS application context. Additionally, supplying a UNC path to the endpoints can trigger outbound SMB authentication from the service account, exposing NTLMv2 hashes for potential relay attacks or offline cracking.
Advisories recommend upgrading to Calero VeraSMART 2022 R1 or later to mitigate the issue, as prior versions are vulnerable due to the exposed remoting service. Further details on patches and remediation are available in the vendor advisory at https://www.calero.com/ and the VulnCheck analysis at https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for exploiting the unauthenticated public-facing .NET Remoting service; T1187 for forcing SMB authentication via UNC paths; T1552.001 for reading credentials/key material from web.config; T1005 for arbitrary file reads from local system.