A critical vulnerability in FreeScout enables unauthenticated account takeover due to improper expiration controls on user invitation hashes.

The /user-setup/{hash} endpoint fails to invalidate invite hashes, allowing them to remain valid indefinitely. An unauthenticated attacker can exploit this via leaked hashes to gain unauthorized access, including administrative privileges if the target account is an admin.

This vulnerability carries a 9.1 CVSS score, reflecting the ease of account takeover and the potential for full administrative compromise. Successful exploitation could lead to unauthorized access to sensitive help desk data, customer communications, and internal workflows, resulting in significant reputational and data privacy risks.

Immediate Action: Upgrade FreeScout to version 1.8.217 or later immediately to enforce proper hash expiration and lifecycle management.

Proactive Monitoring: Audit existing user accounts for suspicious activity and review access logs for unexpected logins originating from the user-setup endpoint.

Compensating Controls: Ensure that invitation emails are not forwarded or stored in insecure locations and implement multi-factor authentication (MFA) to prevent unauthorized account access.

Public Exploit Available: Unknown

The risk of permanent account takeover is severe. Administrators must prioritize updating to version 1.8.217 to ensure that invitation hashes are properly invalidated and to secure the administrative interface against unauthorized access.