Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Calero VeraSMART: Malicious Code Can Run on Server
CVE-2026-26335
Summary
Calero VeraSMART versions before 2022 R1 store sensitive configuration data in a predictable location, allowing an attacker who gains access to the server to execute malicious code. This creates a risk of unauthorized access to sensitive data and disruption to the application. Update to version 2022 R1 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| calero | verasmart | <= 2022.0 | – |
| calero | verasmart | 2022.0 | – |
Original title
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\...
Original description
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains these keys can craft a valid ASP.NET ViewState payload that passes integrity validation and is accepted by the application, resulting in server-side deserialization and remote code execution in the context of the IIS application.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-321
Use of Hard-coded Cryptographic Key
- https://www.calero.com/ Product
- https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-static-iis-machine... Third Party Advisory
Published: 13 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026