CVE-2026-26335

CVE-2026-26335 is a critical vulnerability in Calero VeraSMART versions prior to 2022 R1, stemming from the use of static ASP.NET/IIS machineKey values configured for the VeraSMART web application. These keys are stored in the file C:\Program Files (x86)\Veramark\VeraSMART\WebRoot\web.config. The issue, classified under CWE-321 (Use of Hard-coded Cryptographic Key), allows an attacker who obtains these keys to craft ASP.NET ViewState payloads that pass integrity validation, resulting in server-side deserialization and remote code execution within the context of the IIS application. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-13.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. By acquiring the static machine keys—potentially through access to the web.config file or knowledge of their hardcoded values—the attacker constructs a valid ViewState payload tailored to trigger deserialization gadgets, achieving arbitrary remote code execution on the affected IIS server.

Advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine-keys-enable-viewstate-rce and the vendor site at https://www.calero.com/, highlight that Calero VeraSMART 2022 R1 addresses the issue by moving away from static keys, serving as the primary mitigation through upgrade.