Remote Code Execution Vulnerability in FreeScout Help Desk by FreeScout
CVE-2025-58163

8.6HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
3 September 2025

What is CVE-2025-58163?

FreeScout, a help desk application built on the PHP Laravel framework, contains a vulnerability that allows authenticated attackers to exploit deserialization of data, resulting in the potential for remote code execution. This issue is present in versions 1.8.185 and below, where specific parameters in the endpoint /help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp} are not properly validated during their decryption process in app/Helper.php. The lack of thorough sanitization when deserializing the decrypted payload exposes the application to significant security risks. A fix for this vulnerability is included in version 1.8.186.

Affected Version(s)

freescout < 1.8.186

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/1...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58163 : Remote Code Execution Vulnerability in FreeScout Help Desk by FreeScout