| Advisory ID | Severity | Release Date | Reported By | CVE ID |
| HSVD-2025-0012 | High | April 29, 2025 | External submission | N/A |
Overview
Hillstone Products Command Injection Vulnerability. This vulnerability is due to the fact that the system does not effectively filter the user’s input and directly splices the system command execution, resulting in a remote code execution vulnerability. Attackers with login permissions can control the server by constructing malicious requests and splicing commands to execute arbitrary code.
Affected Products & Fix Versions
| PRODUCT | AFFECTED VERSIONS | FIX VERSION |
|---|---|---|
| CloudHive | 2.9.4B2 and previous versions | 2.9.4B2.1 |
| LMS | Versions before 3.6.15, versions before 4.3.2 | 3.6.15 and 4.3.2 |
Remediation & Mitigation
- Repair by upgrading the version.
Contact & Reporting
For technical support and detailed remediation guidance, contact Hillstone Networks support at +1-800-930-6707.
To report security issues in Hillstone products, email PSIRT@hillstonenet.com. Hillstone follows responsible disclosure principles and applicable regulations when handling product security incidents.
Legal notice — Without written authorization from Hillstone Networks, no organization or individual may modify, excerpt, or disseminate the content of this advisory for commercial purposes.
Recent Comments