{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T16:27:14.395","vulnerabilities":[{"cve":{"id":"CVE-2026-26333","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-02-13T21:16:52.440","lastModified":"2026-02-26T22:46:30.153","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking."},{"lang":"es","value":"Las versiones de Calero VeraSMART anteriores a 2022 R1 exponen un servicio HTTP de .NET Remoting sin autenticación en el puerto TCP 8001. El servicio publica ObjectURIs predeterminados (incluyendo EndeavorServer.rem y RemoteFileReceiver.rem) y permite el uso de formateadores SOAP y binarios con TypeFilterLevel configurado en Full. Un atacante remoto sin autenticación puede invocar los puntos finales de remoting expuestos para realizar operaciones arbitrarias de lectura y escritura de archivos a través de la clase WebClient. Esto permite la recuperación de archivos sensibles como WebRoot\\\\web . config, que pueden revelar las claves de validación y descifrado de machineKey de IIS. Un atacante puede usar estas claves para generar una carga útil maliciosa de ASP.NET ViewState y lograr la ejecución remota de código dentro del contexto de la aplicación IIS. Además, proporcionar una ruta UNC puede desencadenar la autenticación SMB saliente desde la cuenta de servicio, exponiendo potencialmente hashes NTLMv2 para retransmisión o cracking fuera de línea."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:calero:verasmart:*:*:*:*:*:*:*:*","versionEndExcluding":"2022.0","matchCriteriaId":"1FF22584-B88C-4D9D-9146-DA0F2B5474CC"},{"vulnerable":true,"criteria":"cpe:2.3:a:calero:verasmart:2022.0:-:*:*:*:*:*:*","matchCriteriaId":"CCE2CF2D-DA80-4CC0-97AC-496CB509935C"}]}]}],"references":[{"url":"https://www.calero.com/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbitrary-file-read-leading-to-viewstate-rce","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}