CVE-2026-26335

Name of the Vulnerable Software and Affected Versions Calero VeraSMART versions prior to 2022 R1

Description The application uses static machineKey values configured for the VeraSMART web application and stored in 'C:Program Files (x86)VeramarkVeraSMARTWebRootweb.config'. An attacker obtaining these keys can create a valid ASP.NET ViewState payload, bypassing integrity validation. This leads to server-side deserialization and remote code execution within the IIS application context.

Recommendations Update to version 2022 R1 or later.