CVE-2026-26333

CriticalPublic PoCRCE

Published: 13 February 2026

Published

13 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26333 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Calero Verasmart. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-41 (Port and I/O Device Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the flaw through upgrading Calero VeraSMART to 2022 R1 or later, eliminating the vulnerable .NET Remoting service exposure.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Prohibits unauthenticated actions like arbitrary file read/write via exposed remoting endpoints, addressing CWE-306 missing authentication for critical functions.

SC-41 Port and I/O Device Access good match

prevent

Restricts network access to TCP port 8001 at managed interfaces, blocking unauthenticated remote attackers from reaching the vulnerable .NET Remoting service.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

T1190 for exploiting the unauthenticated public-facing .NET Remoting service; T1187 for forcing SMB authentication via UNC paths; T1552.001 for reading credentials/key material from web.config; T1005 for arbitrary file reads from local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to…

Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

Deeper analysisAI

CVE-2026-26333 affects Calero VeraSMART versions prior to 2022 R1, which expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem, and it permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. This configuration enables an unauthenticated remote attacker to invoke the exposed remoting endpoints and perform arbitrary file read and write operations via the WebClient class. The vulnerability is associated with CWE-306 (Missing Authentication for Critical Function) and CWE-502 (Deserialization of Untrusted Data), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By invoking the remoting endpoints, the attacker can retrieve sensitive files such as WebRoot\web.config, potentially disclosing IIS machineKey validation and decryption keys. These keys allow the generation of a malicious ASP.NET ViewState payload, leading to remote code execution within the IIS application context. Additionally, supplying a UNC path to the endpoints can trigger outbound SMB authentication from the service account, exposing NTLMv2 hashes for potential relay attacks or offline cracking.

Advisories recommend upgrading to Calero VeraSMART 2022 R1 or later to mitigate the issue, as prior versions are vulnerable due to the exposed remoting service. Further details on patches and remediation are available in the vendor advisory at https://www.calero.com/ and the VulnCheck analysis at https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce.