Answer Brief
Taiwan’s TWCERT/CC published a critical vulnerability notice for an OS command injection flaw in Hgiga iSherlock appliances/software, including MailSherlock, SpamSherlock, and AuditSherlock. The issue (CVE-2026-6349, CVSS 9.8) could allow arbitrary OS command execution on the server under the conditions described in the advisory. Hgiga provides fixed package versions for both the 4.5 and 5.5 branches.
Executive Summary: Taiwan’s TWCERT/CC published a critical vulnerability notice for an OS command injection flaw in Hgiga iSherlock appliances/software, including MailSherlock, SpamSherlock, and AuditSherlock. The issue (CVE-2026-6349, CVSS 9.8) could allow arbitrary OS command execution on the server under the conditions described in the advisory. Hgiga provides fixed package versions for both the 4.5 and 5.5 branches.
Why It Matters
TWCERT/CC’s notice highlights a high-impact command injection condition in a product family used for mail handling and related security functions (MailSherlock/SpamSherlock/AuditSherlock). Because these systems typically sit on sensitive messaging paths and often have broad connectivity to internal directories, mail stores, and logging pipelines, any server-side command execution risk can quickly become an enterprise-wide infrastructure concern.
The advisory rates the issue at CVSS 9.8 (Critical) and describes the consequence as arbitrary OS command execution on the server. Even when initial access conditions are constrained (the notice references an unauthenticated local attacker scenario), command injection vulnerabilities are routinely prioritized by defenders because they can be chained with other footholds (e.g., compromised endpoints, exposed admin paths, or misconfigurations) to reach high-value infrastructure.
Why this Taiwan-origin signal matters globally: TWCERT/CC advisories often surface vulnerabilities affecting appliances and enterprise middleware deployed across Asia-Pacific supply chains. For cloud and infrastructure security teams supporting multinational environments, these disclosures can be an early indicator to check regional deployments, subsidiaries, and MSP-managed mail gateways for lagging patch levels—especially for “edge-adjacent” messaging systems that connect on-prem networks to external email traffic.
Hgiga’s mitigation guidance in the notice is version-based: update iSherlock-base to 476+ and iSherlock-audit to 261+ for both the 4.5 and 5.5 branches. The report credits Ting-Wei Hsieh and Jun-Yi Dai of CHT Security as vulnerability reporters.
Event Type: security
Importance: high
Affected Companies
- CHT Security
- Hgiga
- TWCERT/CC
Affected Sectors
- Cybersecurity
- Email Security
- IT Infrastructure
- Managed Security Services
Key Numbers
- CVE: CVE-2026-6349
- TVN ID: TVN-202604002
- CVSS v3.1: 9.8 (Critical)
- Affected product lines: Hgiga iSherlock 4.5 and 5.5 (including MailSherlock, SpamSherlock, AuditSherlock)
- Fixed package versions (base): iSherlock-base 4.5/5.5: 476 and later
- Fixed package versions (audit): iSherlock-audit 4.5/5.5: 261 and later
Timeline
- TWCERT/CC publishes TVN-202604002 for Hgiga iSherlock OS command injection (CVE-2026-6349).