CVE-2025-48390 is a high-severity code injection vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application. The vulnerability exists in versions prior to 1.8.178 due to improper validation of user input in the php_path parameter. Specifically, the application fails to sanitize backtick characters and tabulation within this parameter. The vulnerability arises because an administrator-level user can create a language translation that results in the creation of a folder on the file system. Subsequently, in the tools.php script, the php_path parameter can be set to point to this folder. Due to the lack of proper input sanitization, the backticks in the php_path parameter are interpreted by the system, leading to arbitrary code execution. The file_exists function is used to check the presence of the file or folder but does not prevent injection. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application allows user input to be executed as code without sufficient validation. The vulnerability has been patched in FreeScout version 1.8.178. The CVSS 4.0 base score is 8.6, reflecting high severity with network attack vector, low attack complexity, no user interaction, and requiring administrator privileges. The impact on confidentiality, integrity, and availability is high, as arbitrary code execution can lead to full system compromise. No known exploits are currently reported in the wild.

For European organizations using FreeScout versions prior to 1.8.178, this vulnerability poses a significant risk. Since FreeScout is often deployed in customer support and help desk environments, exploitation could allow attackers with administrator access to execute arbitrary code on the server hosting FreeScout. This can lead to unauthorized data access, modification, or deletion, disruption of help desk operations, and potential lateral movement within the internal network. The compromise of help desk systems is particularly sensitive because they often contain access credentials, customer data, and internal communication logs. Organizations in sectors such as finance, healthcare, and government, where data protection regulations like GDPR are stringent, may face regulatory and reputational damage if exploited. The requirement for administrator privileges limits the attack surface but insider threats or compromised admin accounts could be leveraged by attackers. The lack of user interaction and network exploitability means that once an attacker has admin access, exploitation can be automated and stealthy. Overall, the vulnerability could lead to severe operational and data security impacts for European entities relying on vulnerable FreeScout deployments.

1. Immediate upgrade of FreeScout to version 1.8.178 or later to apply the official patch that fixes the input validation flaw. 2. Restrict administrator privileges strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. 3. Conduct regular audits of administrator activities and monitor for unusual creation of language translations or modifications to the php_path parameter in tools.php. 4. Implement application-level input validation and sanitization controls to detect and block malicious input patterns, including backticks and other shell metacharacters. 5. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability by monitoring for suspicious parameters in HTTP requests. 6. Isolate FreeScout servers within segmented network zones with limited access to critical internal systems to contain potential breaches. 7. Maintain up-to-date backups of FreeScout data and configurations to enable rapid recovery in case of compromise. 8. Educate administrators on secure configuration and the risks of code injection vulnerabilities to prevent inadvertent exposure.