Leandro Cuozzo

**Name of the Vulnerable Software and Affected Versions** SoftNAS Cloud versions prior to 4.0.3 **Description** A command injection issue was discovered in the web administration console. Specifically, the `snserv` script failed to sanitize the `recentVersion` parameter from the "snserv endpoint", allowing an unauthenticated attacker to execute arbitrary commands with root permissions. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `snserv` script and the "snserv endpoint" to minimize the risk of exploitation. Avoid using the `recentVersion` parameter in the affected endpoint until the issue is resolved.