Select Page

Some Hillstone Networks products contain an SSRF vulnerability that could lead to unauthorized remote command execution.

by | May 13, 2026

Vulnerability name
Some products from Shanshi Wangke have vulnerabilities that allow unauthorized remote command execution due to SSRF
Release time
2026-01-22
Vulnerability Description
Some products from Shanshi Wangke have an unauthorized remote command execution vulnerability caused by SSRF. This vulnerability arises from the system’s failure to effectively filter user input, which is directly concatenated with system commands for execution, resulting in a remote code execution vulnerability.
Vulnerability ID: HSVD-2025-0049
Third-party number: None
Vulnerability level
high-risk
Vulnerability source
Internal disclosure
Impact and repair
Affected versions and fixed versions:
Product | Affected Version | Fixed Version | Firewall | R8 and Earlier Versions | 5.5R8P28IFW | Versions Before IFW4.0 | IFW4.3.2IPS | Versions Before IPS5.0 | IPS5.0BDS | Versions Before BDS5.0 | BDS5.0WAF | WAF3.6-WAF3.6.6 | WAF3.6.7LMS | Versions 4.3.6 and Earlier of LMS | Version 4.3.7 of LMS | Cloud | Versions 2.9.4B2.3 and Earlier of Cloud | Version 2.9.4B2.4 of Cloud | Patch and Protection Scheme

  1. It is recommended to prioritize upgrading the software version;
  2. For scenarios where upgrading the software version is temporarily not possible, it is possible to control the managed interface range and trusted host IP range of the device by configuring a trusted host (admin host) and modifying the management method under the interface.
    Contact Us
    For inquiries regarding this vulnerability issue and detailed solutions, please contact the technical support hotline of Shanshi Network Technology at 400-828-6655, as well as our professional service personnel and pre-sales technical staff.
    To report security issues related to Hillstone Networks’ products and solutions, please send your feedback to the Hillstone PSIRT email address: PSIRT@hillstonenet.com. Hillstone Networks is committed to safeguarding the ultimate interests of our product users, adhering to the principle of responsible security incident disclosure, and complying with relevant laws and regulations in addressing product security issues.
    Shanshi Wangke, doing our utmost for your safety!
    Statement
    Without written authorization from our company, no organization or individual may modify, excerpt, or disseminate the content of this announcement for commercial purposes