CVE-2025-58163

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.185 and earlier

Description FreeScout is a help desk and shared inbox built with PHP’s Laravel framework. Versions prior to 1.8.186 contain a deserialization of untrusted data issue that allows authenticated attackers with knowledge of the application's APP KEY to achieve remote code execution. The vulnerability is exploited via the /help/{mailbox id}/auth/{customer id}/{hash}/{timestamp} endpoint, where the customer id and timestamp parameters are processed through the decrypt function in app/Helper.php without proper validation. The code decrypts using Laravel's built-in encryption functions, which subsequently deserialize the decrypted payload without sanitization, allowing attackers to craft malicious serialized PHP objects to trigger arbitrary command execution.

Recommendations Upgrade to FreeScout version 1.8.186 or later.