Vulnerability Title
SSRF Vulnerability Leading to Unauthenticated Remote Command Execution in Certain Hillstone Networks Products
Release Date
2026-01-22
Overview
SSRF Vulnerability Leading to Unauthenticated Remote Command Execution in Certain Hillstone Networks Products。The vulnerability is caused by insufficient validation and sanitization of user-supplied input, which is directly concatenated into system commands for execution, resulting in a Remote Code Execution (RCE) vulnerability.
HSVD ID
HSVD-2025-0049
External Reference ID
N/A
Severity
High
Reported By
Internal disclosure
Impact and Fix
Affected version and repair version:
| Product | Affected version | Repair version |
| Firewall | R8 and previous versions | 5.5R8P28 |
| IFW | Versions before IFW4.0 | IFW4.3.2 |
| IPS | Versions before IPS5.0 | IPS5.0 |
| BDS | Versions before BDS5.0 | BDS5.0 |
| WAF | WAF3.6-WAF3.6.6 | WAF3.6.7 |
| LMS | LMS4.3.6 version and earlier versions | LMS4.3.7 |
| CloudHive | CloudHive 2.9.4B2.3 and earlier versions | CloudHive 2.9.4B2.4 |
Remediation and Mitigation
1.It is recommended to give priority to upgrading through the software version;
2.For scenarios where the software version cannot be upgraded temporarily, you can control the interface scope and trusted host IP range of the managed device by configuring the trusted host (admin host) and modifying the management method under the interface.
Contact Information
For this vulnerability problem and detailed solutions, you can contact the technical support hotline of Shanshi Network Technology at 400-828-6655 and professional service personnel and pre-sales technicians.
Feedback on the safety issues of Shanshi Network Technology products and solutions, please send feedback to Shanshi PSIRT mailbox PSIRT@hillstonenet.com. Shanshi Network Technology will do its best to protect the ultimate interests of product users, follow the principle of responsible security incident disclosure, and abide by relevant laws and regulations to deal with products. Product safety issues.
Shanshi Network Department, do your best for your safety!
Legal Notice
Without the written authorization of the Company, no organization or individual may modify, ecerpt or disseminate the content of this announcement for commercial purposes.
Recent Comments