CVE-2024-5670 (CVSS 9.8): Critical Vulnerability Exposes Softnext Email Systems to Attack
Taiwan’s CERT (Computer Emergency Response Team) has issued a critical warning regarding a severe vulnerability in Softnext’s Mail SQR Expert and Mail Archiving Expert email management systems. This vulnerability, designated as CVE-2024-5670 with a CVSS score of 9.8, poses a significant risk of remote code execution and potential compromise of sensitive data.
Vulnerability Details:
The vulnerability stems from inadequate validation of user input in the web services of both Mail SQR Expert and Mail Archiving Expert. This flaw could enable unauthenticated attackers to inject arbitrary OS commands into the system, effectively taking control of the affected server and executing malicious code.
Impact:
Successful exploitation of this vulnerability could lead to severe consequences, including unauthorized access to sensitive emails and attachments, data theft, system disruption, and potential propagation of further attacks within the network. The high severity of this flaw underscores the urgency for immediate action to mitigate the risk.
Affected Products:
The CVE-2024-5670 vulnerability affects the following versions of Softnext’s SN OS:
- SN OS 12.1 version 230921 and earlier
- SN OS 12.3 version 230921 and earlier
- SN OS 10.3 version 230630 and earlier
Mitigation:
Softnext has released updated versions of SN OS to address this vulnerability. Users are strongly advised to update their systems to the following versions or later as soon as possible:
- SN OS 12.1 version 230922 or later
- SN OS 12.3 version 230922 or later
- SN OS 10.3 version 230631 or later
For systems running on FreeBSD 9.x, an operating system upgrade is required before applying the security patches.
