CVE-2026-26333 Overview
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001 that enables remote code execution. The vulnerability stems from the service publishing default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) while permitting SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class, ultimately achieving remote code execution within the IIS application context.
Critical Impact
This vulnerability allows unauthenticated attackers to read sensitive configuration files, extract IIS machineKey credentials, and achieve full remote code execution on affected Calero VeraSMART systems via malicious ASP.NET ViewState payloads.
Affected Products
- Calero VeraSMART versions prior to 2022 R1
- Systems running the .NET Remoting HTTP service on TCP port 8001
- IIS applications utilizing the vulnerable VeraSMART configuration
Discovery Timeline
- 2026-02-13 - CVE CVE-2026-26333 published to NVD
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2026-26333
Vulnerability Analysis
This authentication bypass vulnerability (CWE-306: Missing Authentication for Critical Function) exposes a dangerous attack surface through the .NET Remoting framework. The service configuration allows any remote client to connect to the published ObjectURIs without credential verification. Because the TypeFilterLevel is set to Full, the deserializer accepts arbitrary types, enabling attackers to invoke powerful framework classes like WebClient for arbitrary file operations.
The exploitation chain begins with arbitrary file read capabilities, which allows an attacker to retrieve sensitive configuration files such as WebRoot\web.config. This file typically contains the IIS machineKey validation and decryption keys. With these cryptographic secrets in hand, an attacker can craft a malicious ASP.NET ViewState payload that, when processed by the server, results in arbitrary code execution within the IIS worker process context.
Root Cause
The root cause is the missing authentication mechanism for the .NET Remoting HTTP service combined with an overly permissive serialization configuration. The service exposes default ObjectURIs without implementing any access controls, and the TypeFilterLevel.Full setting allows deserialization of arbitrary types. This configuration was likely intended for internal or development use but was inadvertently left enabled in production deployments, creating a direct path to remote code execution.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can reach the vulnerable service by connecting to TCP port 8001 on any exposed VeraSMART installation. The exploitation follows a multi-stage approach:
File Read Stage: The attacker invokes the RemoteFileReceiver.rem endpoint using the WebClient class to read sensitive files, particularly targeting WebRoot\web.config to extract IIS machineKey values.
ViewState Payload Generation: Using the extracted validationKey and decryptionKey, the attacker generates a malicious ASP.NET ViewState payload containing arbitrary code execution gadgets.
Code Execution: The crafted ViewState is submitted to the IIS application, where it gets deserialized with the extracted keys, triggering code execution in the IIS application pool identity context.
Additionally, if an attacker supplies a UNC path (e.g., \\attacker-server\share\file) to the file operations, the service account will initiate outbound SMB authentication, potentially exposing NTLMv2 hashes for relay attacks or offline password cracking.
Detection Methods for CVE-2026-26333
Indicators of Compromise
- Unexpected network connections to TCP port 8001 from external or unauthorized sources
- HTTP requests targeting .rem endpoints such as EndeavorServer.rem or RemoteFileReceiver.rem
- Outbound SMB connections (TCP port 445) initiated by the VeraSMART service account to unknown destinations
- Access attempts to web.config files or other sensitive configuration files through the remoting service
- Anomalous IIS worker process behavior following ViewState processing
Detection Strategies
- Monitor network traffic for .NET Remoting SOAP or binary format messages on TCP port 8001
- Implement file integrity monitoring on web.config and other sensitive IIS configuration files
- Deploy network intrusion detection signatures for .NET Remoting exploitation patterns
- Alert on outbound SMB authentication attempts from application service accounts to external IP addresses
- Review IIS logs for unusual ViewState submissions or deserialization errors
Monitoring Recommendations
- Enable verbose logging for the VeraSMART application and .NET Remoting service
- Configure SIEM alerts for TCP port 8001 traffic anomalies and unauthorized access attempts
- Monitor Windows Security Event logs for authentication failures and service account activity
- Implement network segmentation monitoring to detect lateral movement following potential compromise
How to Mitigate CVE-2026-26333
Immediate Actions Required
- Upgrade Calero VeraSMART to version 2022 R1 or later immediately
- Block inbound access to TCP port 8001 at network perimeter firewalls
- Restrict access to the .NET Remoting service to only trusted internal IP addresses
- Rotate IIS machineKey values if exposure is suspected
- Review service account permissions and implement least privilege principles
Patch Information
Calero has addressed this vulnerability in VeraSMART version 2022 R1 and later releases. Organizations should contact Calero or visit the Calero Official Website for upgrade guidance. Additional technical details are available in the VulnCheck Advisory on Calero.
Workarounds
- Implement firewall rules to block all external access to TCP port 8001
- Deploy web application firewall (WAF) rules to filter malicious .NET Remoting requests
- Disable the .NET Remoting service if not required for business operations
- Configure outbound SMB filtering to prevent NTLMv2 hash exposure via UNC path attacks
- Implement network segmentation to isolate VeraSMART servers from untrusted networks
# Example firewall rule to block external access to .NET Remoting service
# Windows Firewall (PowerShell)
New-NetFirewallRule -DisplayName "Block VeraSMART Remoting External" -Direction Inbound -LocalPort 8001 -Protocol TCP -Action Block -RemoteAddress "Any"
# Allow only specific trusted internal subnet
New-NetFirewallRule -DisplayName "Allow VeraSMART Remoting Internal" -Direction Inbound -LocalPort 8001 -Protocol TCP -Action Allow -RemoteAddress "10.0.0.0/8"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
