CVE-2025-14500

Name of the Vulnerable Software and Affected Versions IceWarp versions prior to 9.14.2.0.9

Description This issue is a command injection flaw in the handling of the X-File-Operation header. It allows remote attackers to execute arbitrary code on affected IceWarp installations without authentication. The root cause is a lack of proper validation of user-supplied data before it is used in a system call, enabling an attacker to execute code with SYSTEM or root privileges. Reports indicate over 1,200 servers remain vulnerable. The API endpoint involved is not explicitly specified, but the vulnerability is triggered through the X-File-Operation header.

Recommendations Update IceWarp to version 9.14.2.0.9 or later.