{"uuid": "7ce61e2c-9493-44fb-8892-81a7187f8142", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability", "description": "# ZDI-25-1072 | Zero Day Initiative\nDecember 10th, 2025\n\nIceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability\n--------------------------------------------------------------------------------\n\n### ZDI-25-1072  \nZDI-CAN-27394\n\n\n\n* CVE ID: CVSS SCORE\n  *                                                         CVE-2025-14500                                                    :                                                         9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                                    \n* CVE ID: AFFECTED VENDORS\n  *                                                         CVE-2025-14500                                                    :                                                                                     IceWarp                                                                                \n* CVE ID: AFFECTED PRODUCTS\n  *                                                         CVE-2025-14500                                                    :                                                                                     IceWarp                                                                                \n* CVE ID: VULNERABILITY DETAILS\n  *                                                         CVE-2025-14500                                                    :                             This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.                        \n* CVE ID: ADDITIONAL DETAILS\n  *                                                         CVE-2025-14500                                                    :                                                                                     IceWarp has issued an update to correct this vulnerability. More details can be found at:                                                        https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9                                                                                                                                        \n* CVE ID: DISCLOSURE TIMELINE\n  *                                                         CVE-2025-14500                                                    :                                                             2025-09-26 - Vulnerability reported to vendor                                2025-12-10 - Coordinated public release of advisory                                2025-12-10 - Advisory Updated                                                    \n* CVE ID: CREDIT\n  *                                                         CVE-2025-14500                                                    : Oscar Bataille\n\n\n[BACK TO ADVISORIES](https://www.zerodayinitiative.com/advisories/)", "creation_timestamp": "2026-02-23T07:15:42.166579+00:00", "timestamp": "2026-02-23T07:15:42.166579+00:00", "related_vulnerabilities": ["CVE-2025-14500"], "meta": [{"ref": ["https://www.zerodayinitiative.com/advisories/ZDI-25-1072/"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}