CVE-2026-26333

Name of the Vulnerable Software and Affected Versions Calero VeraSMART versions prior to 2022 R1

Description An unauthenticated .NET Remoting HTTP service is exposed on TCP port 8001 in affected versions. The service publishes default ObjectURIs, including EndeavorServer.rem and RemoteFileReceiver.rem, and allows the use of SOAP and binary formatters with TypeFilterLevel set to Full. A remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This can allow retrieval of sensitive files, such as WebRootweb.config, potentially disclosing IIS machineKey validation and decryption keys. These keys can be used to generate a malicious ASP.NET ViewState payload, achieving remote code execution within the IIS application context. Supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

Recommendations Update to version 2022 R1 or later.