Over 1,200 IceWarp Servers Remain Exposed to Unauthenticated RCE Vulnerability (CVE-2025-14500)

Post Views: 5

Critical Remote Code Execution Vulnerability in IceWarp Platform Remains Unpatched

A critical remote code execution vulnerability in the IceWarp business communication and collaboration platform remains unpatched on over 1,200 internet-facing servers, leaving them exposed to potential exploitation.

Vulnerability Details

The vulnerability, tracked as CVE-2025-14500, was initially reported in September 2025 and patched in October 2025. However, many organizations have yet to update their on-premises instances, prompting the Shadowserver Foundation to issue alerts to affected parties.

About IceWarp

IceWarp is a business communication and collaboration application developed by a Czech company of the same name. The platform is used as an alternative to popular solutions like Microsoft 365 or Google Workspace.

Vulnerability Explanation

The vulnerability in question is an OS command injection flaw that exists in the application’s handling of the X-File-Operation header. This vulnerability affects both Windows and Linux deployments.

The vulnerability occurs due to the application’s failure to properly validate and neutralize user-supplied string data before passing it to a system call. As a result, any remote attacker can send a maliciously crafted HTTP request to execute arbitrary OS commands in the context of the SYSTEM or root user.

Exploitation Concerns

The Centre for Cybersecurity Belgium (CCB) emphasized that authentication is not required for exploitation, making it a significant concern.

Patching and Mitigation

The vulnerability was patched in various versions of the IceWarp solution, including IceWarp Epos Update 2 version 14.2.0.9 or newer, IceWarp Epos Update 1 version 14.1.0.19 or newer, and IceWarp Epos version 14.0.0.18. Additionally, Deep Castle version 13.0.3.13 was also affected. Cloud instances were immediately patched, but on-premises instances remain vulnerable if not updated.

IceWarp support has urged organizations to update their instances as soon as possible, emphasizing the need to back up the entire server before doing so. The company also noted that customers with an expired license will receive a new SAAS license for one month at no charge due to upgrade requirements.

Furthermore, the CCB pointed out that patching appliances or software to the newest version may protect against future exploitation but does not remediate historic compromise.

Current Status

Currently, there are no reports of in-the-wild exploitation of CVE-2025-14500. However, the Shadowserver Foundation’s findings suggest that many organizations remain vulnerable, and it is only a matter of time before attackers begin to exploit this flaw.