FreeScout’s email ingestion logic allows agent replies to be identified by parsing the Message-ID header. In the notification reply path, the thread and user identifiers are extracted from the Message-ID without verifying an HMAC. An attacker who can forge the From address of a helpdesk agent can craft a message that FreeScout will process as a legitimate agent reply, automatically forwarding it to the intended customer using the organization’s SMTP server. This flaw permits the attacker to impersonate an agent and send arbitrary content to unsuspecting customers, potentially delivering malware, phishing content, or confidential information. The vulnerability manifests as improper authentication and exposure of a secret key used for HMAC verification.

The affected product is FreeScout (the free help-desk and shared inbox platform built on PHP's Laravel framework). All versions prior to 1.8.220 implement the flawed notification reply path. Versions 1.8.220 and later contain the fix that enforces HMAC verification of the Message-ID. The CVE applies specifically to the FetchEmails command within the email processing pipeline used by the FreeScout help-desk system.

The CVSS score of 7.5 indicates a high impact on confidentiality and integrity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation data. However, the attack path does not require privileged access; an external attacker only needs to send an email to the helpdesk mailbox with a forged From address and a Message-ID containing the correct thread and user identifiers. This makes the vulnerability relatively easy to exploit if the attacker controls an email account that can reach the helpdesk mailbox, such as a compromised email or a malicious external sender. The absence of HMAC verification allows this impersonation to succeed blindly, exposing customers to unintended communications from an unauthenticated source.