CVE-2025-14500

Published Dec 23, 2025

Last updated 2 months ago

CVSS critical 9.8

Overview

Description
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394.
Source
zdi-disclosures@trendmicro.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

zdi-disclosures@trendmicro.com
CWE-78

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. Top 5 Trending CVEs: 1 - CVE-2026-21513 2 - CVE-2025-14500 3 - CVE-2026-21236 4 - CVE-2026-2441 5 - CVE-2026-3223 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    3 Mar 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. We are scanning & reporting IceWarp CVE-2025-14500 (CVSS 9.8, pre-auth command injection RCE) instances. 1278 IPs seen 2026-03-01 (version based check). Patch info: https://t.co/YV3Vx4eb2S IP data in https://t.co/qxv0Gv5ELc Dashboard World Map view: https://t.co/ovUiL5AY3

    @Shadowserver

    2 Mar 2026

    4355 Impressions

    16 Retweets

    36 Likes

    14 Bookmarks

    2 Replies

    0 Quotes

  3. Warning: Critical OS Command Injection vulnerability in #IceWarp. #CVE-2025-14500 (CVSS: 9.8). Unauthenticated attackers can achieve complete system compromise #RCE #Patch #Patch #Patch More info: https://t.co/Tus9dx7VH1

    @CCBalert

    20 Feb 2026

    343 Impressions

    1 Retweet

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. 🔴 CVE-2025-14500 - Critical IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp... https://t.co/HfM2lQPFxe https://t.co/1g41edp6j5

    @TheHackerWire

    23 Dec 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.