[Vulnerability Alert] Han-Kuang Technology | iSherlock - OS Command Injection

• Subject: [Vulnerability Alert] Han-Kuang Technology | iSherlock - OS Command Injection

• Content:
  • Forwarded from Taiwan Computer Network Emergency Response Team/Coordination Center TWCERTCC-200-202510-00000012
  • [Han-Kuang Technology | iSherlock - OS Command Injection] (CVE-2025-11900, CVSS: 9.8) iSherlock developed by Han-Kuang Technology has an OS Command Injection vulnerability, allowing an unauthenticated remote attacker to inject arbitrary operating system commands and execute them on the server.
• Affected Platforms:
  • Sherlock 4.5 and iSherlock 55 (Including MailSherlock, SpamSherlock, AuditSherlock)
  • iSherlock-smtp-4.5: Versions prior to 774 (exclusive)
  • iSherlock-smtp-5.5: Versions prior to 774 (exclusive)
  • iSherlock-base-4.5: Versions prior to 440 (exclusive)
  • iSherlock-base-5.5: Versions prior to 440 (exclusive)
• Recommended Action:
  • Update iSherlock-smtp-4.5 package to version 774 (inclusive) or later
  • Update iSherlock-smtp-5.5 package to version 774 (inclusive) or later
  • Update iSherlock-base-4.5 package to version 440 (inclusive) or later
  • Update iSherlock-base-5.5 package to version 440 (inclusive) or later
• References:
  1. Han-Kuang Technology | iSherlock - OS Command Injection: https://www.twcert.org.tw/tw/cp-132-10452-9c3d4-1.html

Computer and Communications Center
Network Systems Group