CVE-2018-14417: SoftNAS Cloud OS Command Injection Vulnerability Alert

On July 26, SoftNAS Cloud exposed to an OS command injection vulnerability (CVE-2018-14417). The vulnerability stems from the fact that the snserv script in the web administration console does not securely filter the input parameters received, causing an attacker to execute commands on the system.

SoftNAS Cloud is a software-defined NAS file manager that acts as a virtual storage device running in a public, private or hybrid cloud.

SoftNAS Cloud provides enterprise-class NAS capabilities including encryption, snapshots, fast rollback and cross-zone high availability, and automatic failover.

Affected version

  • SoftNAS Cloud version < 4.0.3

Unaffected version

  • SoftNAS Cloud version 4.0.3


SoftNAS officially released the latest 4.0.3 fix for the above vulnerability, and affected users can upgrade in the SotrageCenter administrator interface of the product.

Source: coresecurity