CVE-2026-26333 is a critical security vulnerability affecting Calero VeraSMART versions prior to 2022 R1. The root cause is the exposure of an unauthenticated .NET Remoting HTTP service listening on TCP port 8001. This service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem, which accept requests serialized using SOAP and binary formatters with TypeFilterLevel set to Full. Because there is no authentication, remote attackers can invoke these remoting endpoints to perform arbitrary file read and write operations via the .NET WebClient class. This allows attackers to retrieve sensitive files like WebRoot\web.config, which contains IIS machineKey validation and decryption keys. With these keys, attackers can generate malicious ASP.NET ViewState payloads that execute arbitrary code remotely within the IIS application context, effectively achieving remote code execution (RCE). Furthermore, attackers can supply UNC paths to the service, causing it to initiate outbound SMB authentication attempts using the service account's credentials. This behavior can be abused to capture NTLMv2 hashes, which can then be used for relay attacks or offline cracking to escalate privileges or move laterally within a network. The vulnerability is rated with a CVSS 4.0 score of 10.0, reflecting its critical impact and ease of exploitation without authentication or user interaction. Although no known exploits are currently in the wild, the vulnerability poses a severe risk due to the potential for full system compromise and credential theft. The vulnerability is related to CWE-306 (Missing Authentication for Critical Function) and CWE-502 (Deserialization of Untrusted Data).

The impact of CVE-2026-26333 is severe for organizations using vulnerable versions of Calero VeraSMART. Successful exploitation allows unauthenticated remote attackers to achieve remote code execution within the IIS application context, potentially leading to full system compromise. Confidentiality is compromised through unauthorized access to sensitive configuration files containing cryptographic keys. Integrity and availability are at risk due to arbitrary file write capabilities and potential execution of malicious payloads. The ability to capture NTLMv2 hashes via outbound SMB authentication attempts further endangers network security by enabling credential theft and lateral movement. Organizations may face data breaches, service disruptions, and significant operational and reputational damage. Given the criticality and network-exploitable nature of this vulnerability, it represents a high risk to enterprise environments, especially those with internet-facing VeraSMART deployments or insufficient network segmentation.

To mitigate CVE-2026-26333, organizations should immediately upgrade Calero VeraSMART to version 2022 R1 or later, where this vulnerability is addressed. If patching is not immediately possible, restrict network access to TCP port 8001 to trusted management networks only, using firewalls or network segmentation to prevent unauthorized external access. Disable or block the .NET Remoting HTTP service if it is not required for operational purposes. Implement monitoring and alerting for unusual outbound SMB authentication attempts originating from VeraSMART servers to detect potential exploitation attempts. Review and rotate IIS machineKey values and other sensitive cryptographic keys if compromise is suspected. Employ network-level controls such as SMB signing and enforce strong authentication policies to reduce the risk of NTLM relay attacks. Conduct regular vulnerability scans and penetration tests to verify that the vulnerability is remediated and no unauthorized access is possible. Finally, educate IT and security teams about the risks of unauthenticated remoting services and the importance of securing legacy protocols.