Veramark · Verasmart · CVE-2026-26335
**Name of the Vulnerable Software and Affected Versions**
Calero VeraSMART versions prior to 2022 R1
**Description**
The application uses static machineKey values configured for the VeraSMART web application and stored in 'C:Program Files (x86)VeramarkVeraSMARTWebRootweb.config'. An attacker obtaining these keys can create a valid ASP.NET ViewState payload, bypassing integrity validation. This leads to server-side deserialization and remote code execution within the IIS application context.
**Recommendations**
Update to version 2022 R1 or later.