IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability
Created on 2026-02-23 07:15, updated on 2026-02-23 07:15, by Alexandre DulaunoyDescription
ZDI-25-1072 | Zero Day Initiative
December 10th, 2025
IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability
ZDI-25-1072
ZDI-CAN-27394
- CVE ID: CVSS SCORE
- CVE-2025-14500 : 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE ID: AFFECTED VENDORS
- CVE-2025-14500 : IceWarp
- CVE ID: AFFECTED PRODUCTS
- CVE-2025-14500 : IceWarp
- CVE ID: VULNERABILITY DETAILS
- CVE-2025-14500 : This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
- CVE ID: ADDITIONAL DETAILS
- CVE-2025-14500 : IceWarp has issued an update to correct this vulnerability. More details can be found at: https://support.icewarp.com/hc/en-us/community/posts/40040980098705-EPOS-Update-2-build-9-14-2-0-9
- CVE ID: DISCLOSURE TIMELINE
- CVE-2025-14500 : 2025-09-26 - Vulnerability reported to vendor 2025-12-10 - Coordinated public release of advisory 2025-12-10 - Advisory Updated
- CVE ID: CREDIT
- CVE-2025-14500 : Oscar Bataille
Vulnerabilities included in this bundle
Meta
[
{
"ref": [
"https://www.zerodayinitiative.com/advisories/ZDI-25-1072/"
]
}
]
Combined detection rules
Detection rules are retrieved from Rulezet.
Loading…
Combined sightings
| Author | Vulnerability | Source | Type | Date |
|---|