IACBOX Security Advisories

IAC-2026-006 Two vulnerabilities in PHP dependencies

2026-04-08T15:00:00Z

IAC-2026-006 - Two vulnerabilities in PHP dependencies

Released: 2026-04-08 15:00:00 +0000 +0000
Updated: 2026-04-08 15:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.2.2
Version with Fix: 24.2.3

There have been two vulnerabilities in PHP dependencies found.

CVE-2026-4587: Affects the composer package hybridauth/hybridauth. A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult.

CVE-2025-64500: The composer package symfony/http did not handle paths safely. This vulnerability is rated as HIGH, but as the IACBOX does not use this package for authentication/authorization we're not affected directly. To avoid possible unknown issues with this in third party libs, this package is updated to a safe version.

Update recommendation
The affected composer packages have been updated. Updating the IACBOX to this version is recommended for users of any OAuth2 authentication like the Social logins and Microsoft Entry ID (Azure AD).

IAC-2026-005 openssl 3.5.x vulnerabilities

2026-03-09T10:00:00Z

IAC-2026-005 - openssl 3.5.x vulnerabilities

Released: 2026-03-09 10:00:00 +0000 +0000
Updated: 2026-03-09 10:00:00 +0000 +0000
Severity: not_affected
Affected version from (incl.):
Affected version to (incl.):
Version with Fix: 24.2.2

There are two vulnerabilities in openssl 3.5.x. This update delivers openssl 3.5.5, which contains the fixes for these vulnerabilities.

CVE-2025-11187: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification. Currently certificates are only supported in PKCS#1/8 format, so this vulnerability does not affect normal IACBOX operation.
CVE-2025-15467: Stack buffer overflow in CMS (Auth)EnvelopedData parsing could theoretically be used for DoS attacks, so this vulnerability is rated as High by openssl. But as CMS is not used on the IACBOX, this code is never reached.

More details on CVE-2025-11187
More details on CVE-2025-15467

openssl is updated anyway to the latest version with 24.2.2.

IAC-2026-004 Two vulnerabilities in go

2026-03-09T10:00:00Z

IAC-2026-004 - Two vulnerabilities in go

Released: 2026-03-09 10:00:00 +0000 +0000
Updated: 2026-03-09 10:00:00 +0000 +0000
Severity: low
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.2.1
Version with Fix: 24.2.2

There are two vulnerabilities in the Go standard library up to go 1.25.6. To our knowledge, these vulnerabilities do not affect our go code,but may occur in depencencies of the go libs. This update delivers go binaries compiled with go 1.25.7.

CVE-2025-68121: crypto/tls: Fixes a possible validation bypass if third-party libs manipulate the TLS config.
CVE-2025-61732: This vulnerability affects only the go toolchain and is not relevant for the IACBOX itself.

Find all details on the Go Security Advisory

IAC-2026-003 Multiple vulnerabilities in go

2026-01-29T13:00:00Z

IAC-2026-003 - Multiple vulnerabilities in go

Released: 2026-01-29 13:00:00 +0000 +0000
Updated: 2026-01-29 13:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.1.x
Version with Fix: 24.2.0

There are multiple vulnerabilities in the Go standard library that could lead to Denial of Service (DoS) attacks or information leaks.There is no high risk for normal IACBOX operation.

CVE-2025-61728: archive/zip: Potential DoS attack when unpacking a malicious archive.
CVE-2025-61726: net/http: Potential DoS attack due to memory exhaustion on malicious URLs.
CVE-2025-68121: crypto/tls: Potential bypass a check of the full TLS certificate chain.
CVE-2025-61730: crypto/tls: Potential minor information leakage during TLS handshake.
CVE-2025-61731, CVE-2025-68119: This vulnerabilities affect only the go toolchain.

Find all details on the Go Security Advisory

IAC-2026-002 Multiple vulnerabilities in PHP

2026-01-29T13:00:00Z

IAC-2026-002 - Multiple vulnerabilities in PHP

Released: 2026-01-29 13:00:00 +0000 +0000
Updated: 2026-01-29 13:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.1.x
Version with Fix: 24.2.0

GHSA-8xr5-qppj-gvwj
NULL Pointer Dereference in PDO quoting - could lead to DoS attacks

GHSA-3237-qqm7-mfv7
Information Leak of Memory

GHSA-h96m-rvf9-jgm2
Heap buffer overflow in array_merge() - could lead to DoS attacks with crafted input

We recommend upgrading to the latest IACBOX version 24.2.0 to mitigate these vulnerabilities.

IAC-2026-001 zlib / untgz vulnerability

2026-01-09T09:00:00Z

IAC-2026-001 - zlib / untgz vulnerability

Released: 2026-01-09 09:00:00 +0000 +0000
Updated: 2026-01-09 09:00:00 +0000 +0000
Severity: not_affected
Affected version from (incl.):
Affected version to (incl.):
Version with Fix:

The optional command line utility untgz has a critical vulnerability that allows an attacker to execute arbitrary code on the system. This vulnerability is due to a buffer overflow in the untgz utility.

The IACBOX is not affected, because untgz is not installed, only zlib is installed, which does not have this vulnerability.

See external page for more details

IAC-2025-008 go-lang security vulnerabilities

2025-10-06T09:00:00Z

IAC-2025-008 - go-lang security vulnerabilities

Released: 2025-10-06 09:00:00 +0000 +0000
Updated: 2025-10-06 09:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.11
Version with Fix: 24.1.0

The go standard library is vulnerable to this security vulnerabilities:

EUVD-2025-30195, CVE-2025-47906

If the PATH environment variable contains paths which are executables (rather than just directories),passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

EUVD-2025-23921, CVE-2025-47907

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of thereturned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race conditionthat may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected resultsfrom the other query or an error.

The go version was updated to 1.25.1 and all affected go binaries were recompiled.

IAC-2025-007 openssl 3.1 End Of Life

2025-10-06T09:00:00Z

IAC-2025-007 - openssl 3.1 End Of Life

Released: 2025-10-06 09:00:00 +0000 +0000
Updated: 2025-10-06 09:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.11
Version with Fix: 24.1.0

IACBOX version 24 used openssl 3.1 which is End Of Life.
The update to IACBOX 24.1.0 updates openssl to version 3.5.x which is the latest LTS version with updates till 2030.

IAC-2025-006 Possible SQL injection via pgsql extension

2025-07-14T12:00:00Z

IAC-2025-006 - Possible SQL injection via pgsql extension

Released: 2025-07-14 12:00:00 +0000 +0000
Updated: 2025-07-14 12:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.8
Version with Fix: 24.0.9

Missing error checking could result in SQL injection and missing error handling could lead to crashes due to null pointer dereferences.

Further Information
https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3

IAC-2025-005 sudo Vulnerability

2025-07-02T08:00:00Z

IAC-2025-005 - sudo Vulnerability

Released: 2025-07-02 08:00:00 +0000 +0000
Updated: 2025-07-02 08:00:00 +0000 +0000
Severity: not_affected
Affected version from (incl.):
Affected version to (incl.):
Version with Fix:

The IACBOX is not affected by the sudo vulnerability, as none of our versions ever had "sudo" installed.

IAC-2025-004 Vulnerability in PostgreSQL

2025-05-22T12:00:00Z

IAC-2025-004 - Vulnerability in PostgreSQL

Released: 2025-05-22 12:00:00 +0000 +0000
Updated: 2025-05-22 12:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.6
Version with Fix: 24.0.7

A vulnerability in PostgreSQL allowing to inject malicious SQL queries as well as local code execution via interactive psql tool.

Further Information
https://ubuntu.com/security/CVE-2025-1094
https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

IAC-2025-003 Vulnerabilities in xz/liblzma

2025-05-13T12:00:00Z

IAC-2025-003 - Vulnerabilities in xz/liblzma

Released: 2025-05-13 12:00:00 +0000 +0000
Updated: 2025-05-13 12:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.5
Version with Fix: 24.0.6

A vulnerability in xz/liblzma can lead to a crash if an invalid/manipulated xz archive gets decoded.

For all details please visit: https://tukaani.org/xz/threaded-decoder-early-free.html

IAC-2025-002 Multiple vulnerabilities in openssl

2025-05-13T12:00:00Z

IAC-2025-002 - Multiple vulnerabilities in openssl

Released: 2025-05-13 12:00:00 +0000 +0000
Updated: 2025-05-13 12:00:00 +0000 +0000
Severity: low
Affected version from (incl.): 24.0.0
Affected version to (incl.): 24.0.5
Version with Fix: 24.0.6

Multiple vulnerabilities have been found in openssl:

- Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)- Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)

This bugs are not critical for the system and have a low severity.

IAC-2025-001 Multiple vulnerabilities in rsync

2025-01-22T09:00:00Z

IAC-2025-001 - Multiple vulnerabilities in rsync

Released: 2025-01-16 12:00:00 +0000 +0000
Updated: 2025-01-22 09:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 21.0-p21004, 24.0.0
Affected version to (incl.): 21.0-p21592, 24.0.1
Version with Fix: 21.0-p21595, 24.0.2

Multiple vulnerabilities have been found in rsync, but most of them affect only the rsync daemon, which is not in use on the IACBOX.
But the rsync client is also affected if connected to unknown servers that are maybe controlled by an attacker.

Which versions are affected?

All versions up to v21 are affected as they are using rsync. The impact is rated only as MEDIUM as an IACBOX is only connecting to Asteas controlled update servers, so there is no real attack surface, except for a possible local exploitation.
The rsync package is updated anyway to eliminate any possibly left over risk.
This issue is fixed with the current version 21.0-p21595.

Version 24 is not using rsync anymore, but as the binary is installed it get's updated to the latest rsync version 3.4.1 too.
The new rsync version is shipped with version 24.0.2, released on 22 Jan 2025.

For all details please visit: https://kb.cert.org/vuls/id/952657

IAC-2024-008 CUPS vulnerability

2024-09-30T09:00:00Z

IAC-2024-008 - CUPS vulnerability

Released: 2024-09-30 09:00:00 +0000 +0000
Updated: 2024-09-30 09:00:00 +0000 +0000
Severity: not_affected
Affected version from (incl.):
Affected version to (incl.):
Version with Fix:

The IACBOX does not use CUPS and is not affected.

IAC-2024-007 Webserver source code disclosure (part 2)

2024-09-09T12:00:00Z

IAC-2024-007 - Webserver source code disclosure (part 2)

Released: 2024-09-09 12:00:00 +0000 +0000
Updated: 2024-09-09 12:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21569
Version with Fix: 21.0-p21573

The webserver shipped with an IACBOX (apache) had a source code disclosure vulnerability in version 2.4.60.
This was only partially fixed with version 2.4.61 that has already been shipped with IACBOX version 21.0-p21566.
We have not been able to trigger this vulnerability anymore, but to be safe, we advise you to update to the latest version 21.0-p21573

See the apache changelog for details

IAC-2024-006 Radius vulnerability

2024-07-15T12:00:00Z

IAC-2024-006 - Radius vulnerability

Released: 2024-07-15 12:00:00 +0000 +0000
Updated: 2024-07-15 12:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21561
Version with Fix: 21.0-p21566

The discovered vulenerability in the RADIUS protocol called Blast-RADIUS affects Radius and iPass authentication on the IACBOX.

Who is affected?
Only systems with activated external authentication method Radius or iPass are affected as plain Radius (without EAP) is in use.
- Note that Radius can also be used as authentication method for WebAdmin logins which is also affected.
- Radius as part of 802.1x is not affected as EAP should always be in use there.

There's a possible MITM attack that can change a denied authentication into a successful authentication.
The attacker needs to craft a matching MD5-HMAC within the clients timeout, so this needs resources and time, so this is not easy to exploit.

Changes
- From now on Radius requests always have the Message-Authenticator attribute set
- There's a new Radius setting in WebAdmin under Login Methods -> External Authentication -> Radius: Force Message Authenticationwhich checks if a Radius response has the attribute Message-Authenticator.
This new option has to be switched on manually as it's maybe not backwards compatible with your Radius server that does not send this attribute.

Further Information
See the blastradius.fail page for more details

IAC-2024-005 Multiple webserver vulnerabilities

2024-07-15T12:00:00Z

IAC-2024-005 - Multiple webserver vulnerabilities

Released: 2024-07-15 12:00:00 +0000 +0000
Updated: 2024-07-15 12:00:00 +0000 +0000
Severity: high
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21561
Version with Fix: 21.0-p21566

The webserver shipped with an IACBOX (apache) has multiple vulnerabilities which have been fixed with httpd version2.4.60 and 2.4.61.
As some of the vulnerabilities allow DoS attacks, all users are advised to update their systems to 21.0-p21566.

See the apache changelog for details

IAC-2024-004 OpenSSH regreSSHion vulnerability

2024-07-03T08:30:00Z

IAC-2024-004 - OpenSSH regreSSHion vulnerability

Released: 2024-07-03 08:30:00 +0000 +0000
Updated: 2024-07-03 08:30:00 +0000 +0000
Severity: high
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21556
Version with Fix: 21.0-p21561

OpenSSH has a serious remote code execution vulnerability which gets fixed with 21.0-p21561.
See all details in the Qualys report (regreSSHion)
Workaround for systems that can't be updated right now: Disable SSH access from all interfaces or add rules to your firewall so that SSH port (TCP/22) is not reachable.

IAC-2024-003 Linux kernel vulnerability

2024-04-17T09:00:00Z

IAC-2024-003 - Linux kernel vulnerability

Released: 2024-04-12 09:00:00 +0000 +0000
Updated: 2024-04-17 09:00:00 +0000 +0000
Severity: high
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21530
Version with Fix: 21.0-p21543

There's a possible local priviledge escalation in the Linux kernel GSM module. Also if the module is not used it can be loaded and exploited
UPDATE: Patchlevel update 21.0-p21543 replaces update 21.0-p21536 which provided a workaround for this issue.

IAC-2024-002 liblzma/xz/sshd vulnerability

2024-03-31T09:00:00Z

IAC-2024-002 - liblzma/xz/sshd vulnerability

Released: 2024-03-31 09:00:00 +0000 +0000
Updated: 2024-03-31 09:00:00 +0000 +0000
Severity: not_affected
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21004
Version with Fix: 21.0-p21004

The IACBOX is not affected as the used liblzma version does not contain this vulnerability.

IAC-2024-001 OpenSSH vulnerability

2024-02-01T09:00:00Z

IAC-2024-001 - OpenSSH vulnerability

Released: 2024-02-01 09:00:00 +0000 +0000
Updated: 2024-02-01 09:00:00 +0000 +0000
Severity: medium
Affected version from (incl.): 21.0-p21004
Affected version to (incl.): 21.0-p21510
Version with Fix: 21.0-p21518

An OpenSSH connection can be downgraded during handshake (Terrapin attack). As SSH is only rarely used for remote control connections this does not really affect normal operation.