Login Sign Up

CVE-2018-6289

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2018-6289 is a configuration file injection vulnerability in Kaspersky Secure Mail Gateway that allows attackers to execute arbitrary code with root privileges. This affects version 1.1 of the product, enabling complete system compromise. Organizations using this specific version are vulnerable to remote code execution.

💻 Affected Systems

Products:
  • Kaspersky Secure Mail Gateway
Versions: Version 1.1
Operating Systems: Linux-based appliance
Default Config Vulnerable: ⚠️ Yes
Notes: This is a specific appliance version vulnerability; no other Kaspersky products are affected.

📦 What is this software?

Secure Mail Gateway by Kaspersky

View all CVEs affecting Secure Mail Gateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing installation of persistent backdoors, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to mail gateway compromise, potential email interception, and credential theft from the affected system.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation, though internal threats remain possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation details were publicly disclosed in security advisories, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1.162.0 or later

Vendor Advisory: https://support.kaspersky.com/vulnerability.aspx?el=12430#010218

Restart Required: Yes

Instructions:

1. Download the latest patch from Kaspersky support portal. 2. Apply the update through the appliance management interface. 3. Restart the appliance as prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the mail gateway from untrusted networks to reduce attack surface.

Access Control Restrictions

linux

Limit administrative access to the appliance to trusted IP addresses only.

iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [admin_port] -j DROP

🧯 If You Can't Patch

  • Decommission the vulnerable version and replace with a supported, patched version or alternative solution.
  • Implement strict network monitoring and intrusion detection specifically for this appliance.

🔍 How to Verify

Check if Vulnerable:

Check the appliance version in the web administration interface under System Information.

Check Version:

ssh admin@[appliance_ip] 'cat /etc/version' or check via web interface

Verify Fix Applied:

Verify the version is 1.1.162.0 or higher in the administration interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual configuration file modifications
  • Unexpected root-level process execution
  • Failed authentication attempts to admin interface

Network Indicators:

  • Suspicious traffic to admin ports from untrusted sources
  • Unexpected outbound connections from the appliance

SIEM Query:

source="kaspersky_mail_gateway" AND (event="config_modification" OR event="root_execution")

📊 Metadata

CVE ID: CVE-2018-6289
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: February 6, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6289, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)