{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26335", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-13T17:28:43.052Z", "datePublished": "2026-02-13T20:51:26.374Z", "dateUpdated": "2026-02-18T15:44:20.710Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VeraSMART", "vendor": "Calero", "versions": [{"lessThan": "2022 R1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "finder", "value": "Jan A. Rodriguez, Pentester Jr., GM Sectec, Corp."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Calero VeraSMART versions prior to&nbsp;2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\\\Program Files (x86)\\\\Veramark\\\\VeraSMART\\\\WebRoot\\\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application."}], "value": "Calero VeraSMART versions prior to\u00a02022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\\\Program Files (x86)\\\\Veramark\\\\VeraSMART\\\\WebRoot\\\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-18T15:44:20.710Z"}, "references": [{"tags": ["product"], "url": "https://www.calero.com/"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine-keys-enable-viewstate-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T21:26:36.613624Z", "id": "CVE-2026-26335", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T21:27:16.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-13T21:26:36.613624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T21:26:47.285Z"}}], "cna": {"title": "Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp."}, {"lang": "en", "type": "finder", "value": "Jan A. Rodriguez, Pentester Jr., GM Sectec, Corp."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Calero", "product": "VeraSMART", "versions": [{"status": "affected", "version": "0", "lessThan": "2022 R1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.calero.com/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine-keys-enable-viewstate-rce", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Calero VeraSMART versions prior to\u00a02022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\\\Program Files (x86)\\\\Veramark\\\\VeraSMART\\\\WebRoot\\\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.", "supportingMedia": [{"type": "text/html", "value": "Calero VeraSMART versions prior to&nbsp;2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\\\Program Files (x86)\\\\Veramark\\\\VeraSMART\\\\WebRoot\\\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-18T15:44:20.710Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26335", "state": "PUBLISHED", "dateUpdated": "2026-02-18T15:44:20.710Z", "dateReserved": "2026-02-13T17:28:43.052Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-13T20:51:26.374Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:calero:verasmart:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FF22584-B88C-4D9D-9146-DA0F2B5474CC", "versionEndExcluding": "2022.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:calero:verasmart:2022.0:-:*:*:*:*:*:*", "matchCriteriaId": "CCE2CF2D-DA80-4CC0-97AC-496CB509935C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Calero VeraSMART versions prior to\u00a02022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\\\Program Files (x86)\\\\Veramark\\\\VeraSMART\\\\WebRoot\\\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application."}], "id": "CVE-2026-26335", "lastModified": "2026-02-26T22:45:37.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-13T21:16:52.927", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.calero.com/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine-keys-enable-viewstate-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2022 R1)"}}], "product": "verasmart", "vendor": "calero"}], "analysis": {"en": {"generated_at": "2026-04-17T19:48:18.107498+00:00", "value": {"mitigation_remediation": ["Upgrade VeraSMART to version 2022 R1 or later, which implements dynamic machineKey values and mitigates the threat.", "If an immediate upgrade is not feasible, replace the static machineKey entries in the web.config with unique, randomly generated keys and ensure they are consistently applied across all environments.", "Restrict file system permissions on the web.config file to prevent unauthorized reading of the machineKey settings by non\u2011privileged users."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Calero\u2019s VeraSMART platform, versions released before 2022 R1. The static keys are located under C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config and affect all instances using that configuration.", "description_and_impact": "The VeraSMART application stores static ASP.NET/IIS machineKey values in its web.config file, which protects ViewState data from tampering. An attacker who learns these keys can forge a ViewState payload that passes integrity validation and causes the server to deserialize malicious data, resulting in code execution within the IIS application process. The vulnerability directly exposes the server to compromise, allowing the attacker to run arbitrary code as the application\u2019s identity. The weakness is a hard\u2011coded secret misuse (CWE\u2011321).", "risk_and_exploitability": "With a CVSS score of 9.3, the flaw is considered critical, yet the EPSS score of less than 1% indicates a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires either direct access to the web.config file or another method of retrieving the static machineKey values, after which an attacker can craft a malicious ViewState token. The risk is therefore high severity but currently low exploitation likelihood, making timely remediation imperative."}}}}, "created": "2026-02-16T12:03:29.332781+00:00", "updated": "2026-04-17T20:00:09.003832+00:00", "vendors": ["calero", "calero$PRODUCT$verasmart"]}