Remote Code Execution Vulnerability in IceWarp by IceWarp Limited
CVE-2025-14500

9.8CRITICAL

Key Information:

Vendor: Icewarp
Status: Icewarp
Vendor: CVE Published:; 23 December 2025

What is CVE-2025-14500?

The IceWarp product has a vulnerability that allows remote attackers to execute arbitrary code due to improper validation of the X-File-Operation header. This flaw permits unauthorized command execution on affected installations without requiring authentication, leading to potential full access to the system. Attackers can exploit this vulnerability to run arbitrary commands in the context of the operating system, posing serious risks to data security and system integrity. For further details, refer to the ZDI advisory.

Affected Version(s)

IceWarp 14.2.0.5

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1072/

x_research-advisory

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Dec 10, 2025

JSON

Icewarp

What is CVE-2025-14500?

Affected Version(s)

References

CVSS V3.0

Timeline