CVE-2025-14500
Unknown
Unknown - Not Provided
Command Injection in IceWarp X-File-Operation Enables RCE
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icewarp | icewarp | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote code execution flaw in IceWarp14 caused by improper validation of the X-File-Operation header. It allows remote attackers to execute arbitrary code on affected systems without authentication by exploiting the way user-supplied input is used in system calls.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to execute arbitrary code with SYSTEM-level privileges on the affected IceWarp installation, potentially leading to full system compromise, data theft, or disruption of services.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70