Skip to main content

Cellopoint CelloOS CVE-2026-12059

| EUVDEUVD-2026-36389 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-12 twcert GHSA-qg44-88jp-h8xv
8.7
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

SSH is network-reachable (AV:N), no special conditions beyond valid low-priv operator credentials (AC:L, PR:L), no user interaction, and restricted-shell escape yields full OS command execution affecting C/I/A on the same appliance (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 08:16 EUVD
Analysis Generated
Jun 12, 2026 - 07:15 vuln.today

DescriptionCVE.org

The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.

AnalysisAI

Command restriction bypass in the SSH service of Cellopoint CelloOS allows authenticated remote attackers to escape the restricted shell and execute arbitrary operating system commands beyond their authorized scope. The flaw is tracked as an Improper Access Control issue (CWE-1284) and was disclosed by Taiwan's TWCERT with a CVSS 4.0 score of 8.7. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

CelloOS is the underlying operating platform that powers Cellopoint's email security appliances (notably the Cellopoint Secure Email Gateway product family). Administrative and operator access to these appliances is typically provided through an SSH-based restricted command shell that is meant to expose only a curated subset of management commands. CWE-1284 (Improper Validation of Specified Quantity in Input) - more precisely, the broader Improper Access Control pattern referenced here - covers cases where the gating logic between authorized and unauthorized commands fails to properly canonicalize, parse, or validate operator input. In this case the SSH command parser does not adequately enforce its allow-list, so crafted input is interpreted by the underlying OS shell instead of being rejected, granting access to commands outside the management interface's intended surface.

RemediationAI

Patch availability cannot be independently confirmed from the supplied data - treat this as 'Patch available per vendor advisory' and consult the TWCERT-mirrored Cellopoint advisory at https://www.twcert.org.tw/en/cp-139-10965-3ce75-2.html and https://www.twcert.org.tw/tw/cp-132-10966-3258e-1.html for the exact fixed CelloOS build, then upgrade to that build on every appliance. Until the patched version is deployed, restrict SSH access on the appliance to a dedicated management VLAN or jump host via firewall ACLs so the service is not reachable from user networks or the internet (trade-off: legitimate remote admin workflows must move through the bastion). Rotate and tightly scope operator credentials, remove any unused or shared accounts, and prefer key-based authentication with per-user keys so that the PR:L precondition is harder to satisfy. Enable verbose SSH session/command logging and forward it to a SIEM to detect attempted escapes - note this is detective, not preventive. Disabling SSH entirely is the strongest workaround but generally not operationally viable on these appliances since SSH is the primary management channel.

Share

CVE-2026-12059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy