轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202507-00000007
[內容說明]
【桓基科技|iSherlock - OS Command Injection】(CVE-2025-7451,CVSS:9.8) 桓基科技開發之iSherlock存在OS Command Injection漏洞,允許未經身分鑑別之遠端攻擊者注入任意作業系統指令並於伺服器上執行。此漏洞已遭開採利用,請盡速更新。
[影響平台]
● 影響產品與版本:
Hgiga iSherlock (包含 MailSherlock、SpamSherlock、AuditSherlock)4.5、5.5
● 影響套件:
iSherlock-4.5:
iSherlock-maillog-4.5 <>
iSherlock-smtp-4.5 <>
iSherlock-5.5:
iSherlock-maillog-5.5 <>
iSherlock-smtp-5.5 <>
[建議措施]
● 更新套件iSherlock-maillog-4.5至137(含)以後版本
● 更新套件iSherlock-smtp-4.5至732(含)以後版本
● 更新套件iSherlock-maillog-5.5至137(含)以後版本
● 更新套件iSherlock-smtp-5.5至732(含)以後版本
[參考資料]
https://www.twcert.org.tw/tw/cp-132-10237-9e0f7-1.html
Forwarded by Taiwan Computer Network Crisis Management and Coordination Center TWCERTCC-200-202507-00000007
[Content Description]
[HGiga|iSherlock - OS Command Injection] (CVE-2025-7451, CVSS: 9.8) iSherlock developed by HGiga has an OS Command Injection vulnerability, which allows unauthenticated remote attackers to inject arbitrary operating system commands and execute them on the server. This vulnerability has been exploited, please update as soon as possible.
[Affected Platforms]
● Affected Products and Versions:
Hgiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) 4.5, 5.5
● Affected Packages:
iSherlock-4.5:
iSherlock-maillog-4.5 <>
iSherlock-smtp-4.5 <>
iSherlock-5.5:
iSherlock-maillog-5.5 <>
iSherlock-smtp-5.5 <>
[Suggested Actions]
● Update package iSherlock-maillog-4.5 to version 137 (inclusive) or later
● Update package iSherlock-smtp-4.5 to version 732 (inclusive) or later
● Update package iSherlock-maillog-5.5 to version 137 (inclusive) or later
● Update the package iSherlock-smtp-5.5 to version 732 (inclusive) or later
[References]
https://www.twcert.org.tw/tw/cp-132-10237-9e0f7-1.html