| Advisory ID | Severity | Release Date | Reported By | CVE ID |
| HSVD-2025-0049 | High | January 22, 2026 | Internal disclosure | N/A |
Overview
Hillstone Products SSRF Vulnerability Leading to Unauthenticated Remote Command Execution. This vulnerability is due to the fact that the system does not effectively filter the user’s input and directly splices the system command execution, resulting in a remote code execution vulnerability.
Affected Products & Fix Versions
| PRODUCT | AFFECTED VERSIONS | FIX VERSION |
|---|---|---|
| Firewall | R8 and earlier | 5.5R8P28 |
| IPS | Earlier than IPS5.0 | IPS5.0 |
| BDS | Earlier than BDS5.0 | BDS5.0 |
| WAF | WAF3.6 – WAF3.6.6 | WAF3.6.7 |
| LMS | LMS4.3.6 and earlier | LMS4.3.7 |
| CloudHive | CloudHive 2.9.4B2.3 and earlier | CloudHive 2.9.4B2.4 |
Remediation & Mitigation
- Preferred: Upgrade to the fixed software version listed above for your product as soon as possible.
- Temporary workaround: If an immediate upgrade is not possible, restrict management access by configuring trusted host (admin host) settings and limiting management interface scope to trusted IP ranges only.
Contact & Reporting
For technical support and detailed remediation guidance, contact Hillstone Networks support at +1-800-930-6707.
To report security issues in Hillstone products, email PSIRT@hillstonenet.com. Hillstone follows responsible disclosure principles and applicable regulations when handling product security incidents.
Legal notice — Without written authorization from Hillstone Networks, no organization or individual may modify, excerpt, or disseminate the content of this advisory for commercial purposes.
Recent Comments