Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54366

CVE-2025-54366: FreeScout RCE Vulnerability

CVE-2025-54366 is a critical deserialization RCE vulnerability in FreeScout affecting versions 1.8.185 and below. Attackers with APP_KEY knowledge can achieve remote code execution. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-54366 Overview

CVE-2025-54366 is an insecure deserialization vulnerability in FreeScout, a PHP-based open source help desk and shared inbox built on the Laravel framework. The flaw resides in the /conversation/ajax endpoint and affects versions 1.8.185 and below. Authenticated attackers with knowledge of the application's APP_KEY can submit crafted payloads through the attachments_all and attachments POST parameters. The application passes these values to the Helper::decrypt() function, which performs unsafe deserialization of user-controlled data. Successful exploitation enables arbitrary object instantiation and remote code execution on the host, leading to full compromise of the FreeScout instance. The issue is tracked under [CWE-502] and was fixed in version 1.8.186.

Critical Impact

Authenticated attackers with knowledge of the APP_KEY can achieve remote code execution and fully compromise the FreeScout web application.

Affected Products

  • FreeScout versions 1.8.185 and below
  • FreeScout help desk and shared inbox (PHP/Laravel)
  • Self-hosted FreeScout deployments exposing /conversation/ajax

Discovery Timeline

  • 2025-07-26 - CVE-2025-54366 published to the National Vulnerability Database
  • 2025-09-11 - Last updated in the NVD database

Technical Details for CVE-2025-54366

Vulnerability Analysis

FreeScout exposes an authenticated AJAX endpoint at /conversation/ajax that processes attachment metadata supplied through the attachments_all and attachments POST parameters. These parameters are decrypted and unserialized using the internal Helper::decrypt() routine. The function does not restrict allowed classes or validate the structure of the resulting object graph before deserialization. When an attacker possesses the Laravel APP_KEY, they can encrypt arbitrary serialized PHP payloads that the application will accept as legitimate. Because Laravel applications commonly include classes with magic methods such as __destruct or __wakeup, the attacker can chain gadgets to execute arbitrary PHP code in the context of the web server.

Root Cause

The root cause is unsafe use of unserialize() on attacker-controlled data inside Helper::decrypt(). PHP deserialization restores object state and triggers magic methods, allowing an attacker to instantiate arbitrary classes and manipulate their properties. The endpoint does not enforce an allow-list of expected types, nor does it validate that the decoded payload contains only attachment identifiers. This pattern matches CWE-502 (Deserialization of Untrusted Data).

Attack Vector

Exploitation requires network access to the FreeScout instance, an authenticated session, and knowledge of the APP_KEY value stored in .env. APP_KEY disclosure can occur through misconfigured backups, exposed environment files, source code leaks, or insider access. Once an attacker holds the key, they encrypt a gadget chain payload, submit it to /conversation/ajax via the attachments_all or attachments field, and trigger code execution as the PHP process user.

php
// Patch excerpt: app/Misc/Helper.php
// Adds OBJECT to the list of dangerous HTML tags stripped by FreeScout.
public static function stripDangerousTags($html)
{
-    $tags = ['script', 'form', 'iframe'];
+    $tags = ['script', 'form', 'iframe', 'object'];

    foreach ($tags as $tag) {
        $html = preg_replace('#<'.$tag.'(.*?)>(.*?)<\s*/\s*'.$tag.'\s*>#is', '', $html ?? '');

Source: FreeScout commit 9669c57

Detection Methods for CVE-2025-54366

Indicators of Compromise

  • POST requests to /conversation/ajax containing unusually large or base64-like values in the attachments_all or attachments parameters.
  • Unexpected child processes spawned by the PHP-FPM or web server user, such as sh, bash, python, or curl.
  • Outbound network connections from the FreeScout host to unknown IP addresses shortly after AJAX requests.
  • New or modified PHP files in the FreeScout web root or storage directories without a corresponding deployment.

Detection Strategies

  • Inspect web server access logs for authenticated /conversation/ajax requests that include the attachments_all or attachments fields with non-standard payload sizes.
  • Monitor file integrity of the FreeScout application directory to detect webshell drops or modified Laravel cache files.
  • Correlate authentication events with subsequent process execution telemetry from the FreeScout host to identify post-exploitation activity.

Monitoring Recommendations

  • Alert on any access to .env files or backups that may expose the Laravel APP_KEY.
  • Log and review process creation events on the FreeScout server, focusing on shells and scripting interpreters launched by the web server user.
  • Track egress traffic from FreeScout hosts and flag connections to non-business destinations.

How to Mitigate CVE-2025-54366

Immediate Actions Required

  • Upgrade FreeScout to version 1.8.186 or later, which contains the official fix.
  • Rotate the Laravel APP_KEY after upgrading and re-encrypt any data that depended on the previous key.
  • Audit user accounts and revoke sessions to ensure attackers cannot reuse stolen credentials post-patch.
  • Review web server, PHP, and application logs for prior exploitation attempts against /conversation/ajax.

Patch Information

The vendor released the fix in FreeScout 1.8.186. Details are available in the FreeScout Security Advisory GHSA-vcc2-6r66-gvvj and the corresponding GitHub commit 9669c57. Administrators should follow the standard FreeScout upgrade procedure and clear Laravel caches after the update.

Workarounds

  • Restrict network access to FreeScout administrative and AJAX endpoints using a reverse proxy or firewall allow-list until patching is complete.
  • Ensure the .env file and any backups containing APP_KEY are stored with strict file permissions and excluded from public web paths.
  • Enforce strong authentication and least-privilege roles to limit which users can reach the /conversation/ajax endpoint.
bash
# Verify the installed FreeScout version and confirm the upgrade
cd /var/www/freescout
php artisan --version
grep "'version'" config/app.php

# Rotate the Laravel APP_KEY after upgrading to 1.8.186
php artisan key:generate
php artisan config:clear
php artisan cache:clear

# Restrict access to the .env file
chmod 600 .env
chown www-data:www-data .env

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne