Description
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
Published: 2026-02-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The VeraSMART application stores static ASP.NET/IIS machineKey values in its web.config file, which protects ViewState data from tampering. An attacker who learns these keys can forge a ViewState payload that passes integrity validation and causes the server to deserialize malicious data, resulting in code execution within the IIS application process. The vulnerability directly exposes the server to compromise, allowing the attacker to run arbitrary code as the application’s identity. The weakness is a hard‑coded secret misuse (CWE‑321).

Affected Systems

Calero’s VeraSMART platform, versions released before 2022 R1. The static keys are located under C:\Program Files (x86)\Veramark\VeraSMART\WebRoot\web.config and affect all instances using that configuration.

Risk and Exploitability

With a CVSS score of 9.3, the flaw is considered critical, yet the EPSS score of less than 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires either direct access to the web.config file or another method of retrieving the static machineKey values, after which an attacker can craft a malicious ViewState token. The risk is therefore high severity but currently low exploitation likelihood, making timely remediation imperative.

Generated by OpenCVE AI on April 17, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VeraSMART to version 2022 R1 or later, which implements dynamic machineKey values and mitigates the threat.
  • If an immediate upgrade is not feasible, replace the static machineKey entries in the web.config with unique, randomly generated keys and ensure they are consistently applied across all environments.
  • Restrict file system permissions on the web.config file to prevent unauthorized reading of the machineKey settings by non‑privileged users.

Generated by OpenCVE AI on April 17, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:calero:verasmart:*:*:*:*:*:*:*:*
cpe:2.3:a:calero:verasmart:2022.0:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Calero
Calero verasmart
Vendors & Products Calero
Calero verasmart

Fri, 13 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
Title Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE
Weaknesses CWE-321
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Calero Verasmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-18T15:44:20.710Z

Reserved: 2026-02-13T17:28:43.052Z

Link: CVE-2026-26335

cve-icon Vulnrichment

Updated: 2026-02-13T21:26:47.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T21:16:52.927

Modified: 2026-02-26T22:45:37.080

Link: CVE-2026-26335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses