CVE-2026-26333: Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE
Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.
Security readout for executives and security teams
Plain-English summary
Older Calero VeraSMART systems may expose an unauthenticated remote service that lets an internet-reachable attacker read sensitive server files. Those files can include ASP.NET keys needed to forge ViewState data, potentially leading to remote code execution in IIS. The issue is critical because no login or user interaction is required.
Executive priority
Treat this as a top-priority remediation item for any VeraSMART deployment. A reachable vulnerable service could allow full application compromise without credentials, and sensitive key exposure may require follow-on credential and secret rotation.
Technical view
VeraSMART versions before 2022 R1 expose a .NET Remoting HTTP service on TCP 8001 with unsafe formatter behavior and Full TypeFilterLevel. Public advisory material describes arbitrary file read/write through exposed endpoints, web.config disclosure, machineKey recovery, ViewState-based RCE, and possible outbound SMB authentication leakage.
Likely exposure
Organizations running Calero VeraSMART before 2022 R1 are the stated exposure group, especially where TCP 8001 is reachable from untrusted networks. The bundle does not provide reliable CPEs or a full affected-version matrix.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. However, the described attack path is unauthenticated, remote, low-complexity, and can expose secrets enabling code execution, so exposed systems should be treated as urgent.
Researcher notes
Evidence is strongest for the Vulnerability Check advisory and CVE description. The affected product data in the bundle is sparse, so confirm versions with Calero. Avoid assuming exploitation in the wild unless new KEV or vendor intelligence appears.
Mitigation direction
Identify all VeraSMART instances and confirm exact release versions.
Upgrade affected systems to a Calero-supported non-affected release.
Restrict TCP 8001 to trusted administrative networks only.
Review Calero guidance before changing service behavior or configuration.
Rotate exposed ASP.NET machineKey material if compromise is suspected.
Monitor for unexpected outbound SMB authentication attempts.
Validation and detection
Inventory VeraSMART hosts and verify whether any run versions before 2022 R1.
Check whether TCP 8001 is reachable externally or from broad internal networks.
Review IIS and application logs for suspicious remoting or ViewState activity.
Confirm web.config and machineKey material were not exposed or reused.
Validate compensating firewall controls after remediation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.