轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202510-00000012

[內容說明]
【桓基科技｜iSherlock - OS Command Injection】(CVE-2025-11900，CVSS：9.8) 桓基科技開發之iSherlock存在OS Command Injection漏洞，未經身分鑑別之遠端攻擊者可注入任意作業系統指令並於伺服器上執行。

[影響平台]
● Sherlock 4.5 與 iSherlock 55 (包含 MailSherlock, SpamSherlock, AuditSherlock)
● iSherlock-smtp-4.5: 774(不含) 以前版本
● iSherlock-smtp-5.5: 774(不含) 以前版本
● iSherlock-base-4.5: 440(不含) 以前版本
● iSherlock-base-5.5: 440(不含) 以前版本

[建議措施]
● 更新 iSherlock-smtp-4.5 套件至 774(含)以後版本
● 更新 iSherlock-smtp-5.5 套件至 774(含)以後版本
● 更新 iSherlock-base-4.5 套件至 440(含)以後版本
● 更新 iSherlock-base-5.5 套件至 440(含)以後版本

[參考資料]
https://www.twcert.org.tw/tw/cp-132-10440-dd55d-1.html

Forwarded by Taiwan Computer Network Crisis Response and Coordination Center (TWCERTCC-200-202510-00000012)

[Description]
[HGiga | iSherlock - OS Command Injection] (CVE-2025-11900, CVSS: 9.8) iSherlock, developed by HGiga, has an OS Command Injection vulnerability. An unauthenticated remote attacker can inject arbitrary operating system commands and execute them on the server.

[Affected Platforms]
● Sherlock 4.5 and iSherlock 55 (including MailSherlock, SpamSherlock, and AuditSherlock)
● iSherlock-smtp-4.5: Versions 774 and earlier
● iSherlock-smtp-5.5: Versions 774 and earlier
● iSherlock-base-4.5: Versions 440 and earlier
● iSherlock-base-5.5: Versions 440 and earlier

[Suggested Actions]
● Update the iSherlock-smtp-4.5 package to version 774 and later
● Update the iSherlock-smtp-5.5 package to version 774 and later
● Update the iSherlock-base-4.5 package to version 440 and later
● Update iSherlock-base-5.5 package to version 440 or later

[Reference]
https://www.twcert.org.tw/tw/cp-132-10440-dd55d-1.html