【Vulnerability Alert】Hgiga iSherlock - OS Command Injection

• Subject: 【Vulnerability Alert】Hgiga iSherlock - OS Command Injection

• Description:
  • Forwarded from TWCERT/CC Security Alert TWCERTCC-200-202604-00000015.
  • There is an OS Command Injection vulnerability in iSherlock developed by Hgiga (CVE-2026-6349, CVSS: 9.8). An unauthenticated local attacker can inject arbitrary operating system commands and execute them on the server.
• Affected Platforms:
  • Hgiga iSherlock 4.5 and 5.5 (including MailSherlock, SpamSherlock, and AuditSherlock)
  • iSherlock-base-4.5 versions prior to 476
  • iSherlock-audit-4.5 versions prior to 261
  • iSherlock-base-5.5 versions prior to 476
  • iSherlock-audit-5.5 versions prior to 261
• Recommended Actions:
  • Update the iSherlock-base-4.5 package to version 476 or later.
  • Update the iSherlock-audit-4.5 package to version 261 or later.
  • Update the iSherlock-base-5.5 package to version 476 or later.
  • Update the iSherlock-audit-5.5 package to version 261 or later.
• Reference:
  1. https://www.twcert.org.tw/tw/cp-132-10842-3f255-1.html

Computer and Communication Center
Network Systems Division