CVE-2024-5670

Softnext Mail SQR Expert and Mail Archiving Expert - OS Command Injection

Description

The web services of Softnext's products, Mail SQR Expert and Mail Archiving Expert do not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the remote server.

Remediation

Solution:

Update SN OS 12.1 to version 230922 or later Update SN OS 12.3 to version 230922 or later Update SN OS 10.3 to version 230631 or later For affected products running on FreeBSD 9.x, updates will not be supported. Please upgrade the operating system version first.

References

Link	Tags
https://www.twcert.org.tw/tw/cp-132-7958-817f4-1.html	third party advisory vendor advisory
https://www.twcert.org.tw/en/cp-139-7959-09d0e-2.html	third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-5670?: CVE-2024-5670 has been scored as a critical severity vulnerability.
How to fix CVE-2024-5670?: To fix CVE-2024-5670: Update SN OS 12.1 to version 230922 or later Update SN OS 12.3 to version 230922 or later Update SN OS 10.3 to version 230631 or later For affected products running on FreeBSD 9.x, updates will not be supported. Please upgrade the operating system version first.
Is CVE-2024-5670 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-5670 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5670?: CVE-2024-5670 affects Softnext SN OS 12.1, Softnext SN OS 12.3, Softnext SN OS 10.3.

Description

Remediation

Category

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions