Description
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
Published: 2026-02-13
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Calero VeraSMART versions before 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service exposes default ObjectURIs and allows unfiltered SOAP or binary deserialization with a TypeFilterLevel of Full. An attacker can invoke these endpoints to read or write arbitrary files via the WebClient class, including sensitive configuration files that contain IIS machineKey and decryption keys. With those keys, the attacker can craft a malicious ViewState payload and achieve remote code execution inside the IIS application context. The vulnerability also permits supply of UNC paths, causing outbound SMB authentication that can leak NTLMv2 hashes for relay or offline cracking.

Affected Systems

Vendors: Calero; Product: VeraSMART; Targeted versions: any installation prior to 2022 R1. No specific version numbers are available beyond the 2022 R1 release milestone, making all older releases susceptible. The remote .NET Remoting service runs on the standard HTTP port 8001 and is accessible without authentication.

Risk and Exploitability

The CVSS score of 10 indicates a critical security impact. Despite a low EPSS of less than 1%, the vulnerability remains a significant risk because it allows unauthenticated remote exploitation without requiring privileged access or complex prerequisites. The attack vector is clear: an external actor connects to port 8001, invokes a deserialized endpoint, and performs file operations or crafts a ViewState payload. Although the probability of exploitation in the wild is low, the potential for full server compromise and credential theft is high. The vulnerability is not currently listed in the CISA KEV catalog, but its severity warrants urgent action.

Generated by OpenCVE AI on April 17, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Calero VeraSMART to version 2022 R1 or later to remove the exposed .NET Remoting service and its default ObjectURIs
  • If an upgrade is not immediately possible, disable the .NET Remoting HTTP listener on port 8001 or use a firewall to block inbound access to that port
  • Configure the application’s deserialization settings to use TypeFilterLevel"Restricted" or remove the ability to handle SOAP and binary formatters with full type filtering
  • Ensure that machineKey values are protected and that ViewState validation is enabled to prevent construction of forged payloads
  • Audit and monitor SMB traffic for outbound authentication attempts from the service account, and enforce SMB signing and proper credential handling

Generated by OpenCVE AI on April 17, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:calero:verasmart:*:*:*:*:*:*:*:*
cpe:2.3:a:calero:verasmart:2022.0:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Calero
Calero verasmart
Vendors & Products Calero
Calero verasmart

Fri, 13 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
Title Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE
Weaknesses CWE-306
CWE-502
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Calero Verasmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-18T15:43:16.082Z

Reserved: 2026-02-13T17:28:43.050Z

Link: CVE-2026-26333

cve-icon Vulnrichment

Updated: 2026-02-13T21:25:08.510Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T21:16:52.440

Modified: 2026-02-26T22:46:30.153

Link: CVE-2026-26333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses