CVE-2026-26333CRITICAL 9.8EPSS p55.9%

CVE-2026-26333CVE-2026-26333

Description

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.93% probability of exploitation · percentile 55.9% · 2026-06-18T12:00:27Z
Published2026-02-13
Last modified2026-02-26

Underlying weaknesses· 2

CWE-306CWE-502

References

  1. https://www.calero.com/
  2. https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce

2

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26335
CVE
CVE-2026-0611
CVE
CVE-2026-26222
CVE
CVE-2026-23751
CVE
CVE-2026-5426
CVE
CVE-2026-0522
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.