← Back
2026-02-13 20:51CVE-2026-26333VulnCheck
PUBLISHED5.2CWE-306CWE-502

Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

Problem type

Affected products

Calero

VeraSMART

< 2022 R1 - AFFECTED

References

calero.com

https://www.calero.com/

product
vulncheck.com

https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce

third-party-advisory

GitHub Security Advisories

GHSA-m4w4-g5c5-j4f4

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service...

https://github.com/advisories/GHSA-m4w4-g5c5-j4f4

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-26333

calero.com

https://www.calero.com

vulncheck.com

https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce

github.com

https://github.com/advisories/GHSA-m4w4-g5c5-j4f4

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-26333
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-26333",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-02-13T21:25:25.994Z",
    "dateReserved": "2026-02-13T17:28:43.050Z",
    "datePublished": "2026-02-13T20:51:57.479Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-02-13T20:51:57.479Z"
      },
      "title": "Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE",
      "descriptions": [
        {
          "lang": "en",
          "value": "Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Calero VeraSMART versions prior to&nbsp;2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking."
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Calero",
          "product": "VeraSMART",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "custom",
              "lessThan": "2022 R1"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "cweId": "CWE-306",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "cweId": "CWE-502",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.calero.com/",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Victor A. Morales, Senior Pentester Team Leader, GM SecTec Inc.",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "Jan A. Rodriguez, Pentester Jr., GM SecTec Inc.",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-02-13T21:25:25.994Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}