What is the CVSS score of CVE-2026-26333?

CVE-2026-26333 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of IIS are affected by CVE-2026-26333?

Calero VeraSMART installations prior to version 2022 R1 contain a critical vulnerability allowing unauthenticated remote attackers to read and write arbitrary files on affected servers.

How to fix or mitigate CVE-2026-26333?

Within 24 hours: Identify and inventory all Calero VeraSMART deployments, document versions, and assess network exposure of port 8001. Within 7 days: Implement network segmentation to restrict access to port 8001 (TCP) to trusted networks only, deploy WAF rules to block .NET Remoting requests, and disable the HTTP remoting service if operationally feasible. Within 30 days: Plan and execute upgrade to VeraSMART 2022 R1 or later, or migrate to alternative solutions if upgrade timeline exceeds risk tolerance.

IIS CVE-2026-26333

CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-02-13 disclosure@vulncheck.com

IIS .NET RCE Verasmart

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 13, 2026 - 21:16 nvd

CRITICAL 9.8

DescriptionCVE.org

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

AnalysisAI

Unauthenticated .NET Remoting endpoint in Calero VeraSMART before 2022 R1. TCP port 8001 exposes default Object URIs enabling deserialization attacks. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Connect to exposed .NET Remoting service on TCP 8001

Delivery

Invoke EndeavorServer.rem or RemoteFileReceiver.rem endpoint

Exploit

Instantiate WebClient through unsafe formatter

Execution

Read arbitrary files including web.config

Impact

Exfiltrate IIS machineKey credentials

Access

Connect to exposed .NET Remoting service on TCP 8001

Delivery

Invoke EndeavorServer.rem or RemoteFileReceiver.rem endpoint

Exploit

Instantiate WebClient through unsafe formatter

Execution

Read arbitrary files including web.config

Impact

Exfiltrate IIS machineKey credentials

Vulnerability AssessmentAI

Exploitation	Calero VeraSMART versions prior to 2022 R1 with unauthenticated .NET Remoting HTTP service enabled on TCP port 8001, publishing default ObjectURIs (EndeavorServer.rem, RemoteFileReceiver.rem) with TypeFilterLevel set to Full allowing SOAP and binary formatters. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker connects to TCP 8001, exploits .NET Remoting deserialization for RCE.
Remediation	Update to 2022 R1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Calero VeraSMART deployments, document versions, and assess network exposure of port 8001. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-26333 vulnerability details – vuln.today

Back

IIS CVE-2026-26333

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code