CVE-2026-26335— Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-26335
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的密码学密钥
Source: NVD (National Vulnerability Database)
Vulnerability Title
Calero VeraSMART 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Calero VeraSMART是美国Calero公司的一个电话计费软件。 Calero VeraSMART 2022 R1之前版本存在安全漏洞,该漏洞源于使用静态的ASP.NET/IIS machineKey值,可能导致攻击者构造有效的ASP.NET ViewState有效载荷,进而导致服务器端反序列化和远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-26335
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/mbanyamer/CVE-2026-26335-Calero-VeraSMART-RCE | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-26335
请登录查看更多情报信息。
Same Patch Batch · Calero · 2026-02-13 · 3 CVEs total
| CVE-2026-26333 | Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE | |
| CVE-2026-26334 | Calero VeraSMART < 2026 R1 Hardcoded Static AES Keys Allow Decryption of Service Credentia |
IV. Related Vulnerabilities
Same weakness: CWE-321
- CVE-2026-8243
Industrial Application Software IAS Canias ERP JNLP Deployme - CVE-2026-6787
Usage of a hard-coded cryptographic key in WatchGuard Agent - CVE-2026-42518
Information Disclosure Vulnerability in e-Sushrut HMIS - CVE-2026-7306
Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard - CVE-2026-32644
Milesight Cameras Use of Hard-coded Cryptographic Key
V. Comments for CVE-2026-26335
No comments yet