Calero VeraSMART versions prior to 2022 R1 contain a critical vulnerability (CVE-2026-26333) due to missing authentication on a .NET Remoting HTTP service exposed on TCP port 8001. This service publishes default ObjectURIs such as EndeavorServer.rem and RemoteFileReceiver.rem and accepts SOAP and binary formatters with TypeFilterLevel set to Full, which is highly permissive. An unauthenticated remote attacker can invoke these remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows attackers to retrieve sensitive configuration files like WebRoot\web.config, which contain IIS machineKey validation and decryption keys. With these keys, attackers can craft malicious ASP.NET ViewState payloads to achieve remote code execution within the IIS application context, effectively compromising the server. Furthermore, by supplying a UNC path, attackers can cause the service to initiate outbound SMB authentication attempts using the service account's credentials, potentially exposing NTLMv2 hashes. These hashes can be captured for relay attacks or offline cracking, further escalating privileges or lateral movement. The vulnerability is rated critical with a CVSS 4.0 score of 10.0, reflecting its ease of exploitation (no authentication or user interaction required) and severe impact on confidentiality, integrity, and availability. No patches are currently linked, and no known exploits in the wild have been reported yet, but the risk of exploitation is high given the nature of the flaw.

For European organizations, exploitation of CVE-2026-26333 could lead to complete compromise of affected VeraSMART servers, resulting in unauthorized access to sensitive corporate data and disruption of telecommunication management services. The ability to execute arbitrary code remotely without authentication threatens confidentiality, integrity, and availability of critical infrastructure. Exposure of IIS machineKey values can also undermine other ASP.NET applications on the same server. The potential for NTLMv2 hash capture increases risk of lateral movement and privilege escalation within enterprise networks. Organizations relying on VeraSMART for telecom expense management or related services may face operational disruptions, data breaches, and compliance violations under GDPR due to unauthorized data access. The critical severity and ease of exploitation make this a high-priority threat for affected entities across Europe.

Immediate mitigation steps include restricting network access to TCP port 8001 to trusted internal hosts only, using network segmentation and firewall rules to block external access. Organizations should upgrade VeraSMART to version 2022 R1 or later where the vulnerability is fixed. If upgrading is not immediately possible, disabling the .NET Remoting HTTP service or applying custom access controls to enforce authentication on the exposed endpoints is recommended. Monitoring network traffic for unusual SMB authentication attempts and anomalous access to port 8001 can help detect exploitation attempts. Additionally, auditing IIS web.config files and rotating machineKey values after remediation can prevent reuse of leaked keys. Implementing strong network-level authentication and encryption for internal services will reduce attack surface. Finally, organizations should prepare incident response plans for potential exploitation scenarios involving remote code execution and credential theft.