Post-authenticated RCE in SquirrelMail Sendmail transport
CVE-2017-7692 is a post-authentication remote code execution vulnerability in SquirrelMail affecting 1.4.22 and other versions before squirrelmail-20170427_0200-SVN.stable, including versions up to 1.4.23 as described in the provided content. The flaw is in Deliver_SendMail.class.php, specifically the initStream function, where SquirrelMail constructs a command line for the local Sendmail binary and incorrectly sanitizes attacker-controlled input with escapeshellcmd(). The vulnerable input is the envelope sender / Return-Path value derived from the user's configured email address, notably the -f$envelopefrom portion of the Sendmail command line. Because the sanitization is insufficient for this context and does not properly prevent argument injection via whitespace or tab characters, an authenticated user can inject additional Sendmail parameters. If the target deployment uses Sendmail as a command-line transport, the attacker can supply options such as -C to force Sendmail to load an attacker-controlled sendmail.cf file, which can then trigger arbitrary shell command execution on the server. The provided content also notes proof-of-concept exploitation by uploading a malicious sendmail.cf as an attachment, modifying the user's email address setting to inject Sendmail arguments, and then sending an email to trigger execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A post-authentication remote code execution vulnerability in the SquirrelMail webmail client that Webworm appears to have tested or used as part of initial access against at least one Serbian webmail target.
A critical authenticated remote code execution vulnerability in SquirrelMail when configured to use Sendmail, caused by insufficient escaping of user-controlled envelope-from data, allowing parameter injection and arbitrary command execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.