cbcvebase.
CVE-2025-14704
published 2025-12-15

CVE-2025-14704: A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.03%
95.4th percentile
A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
sgwboxn3_firmware<= 2.0.25
shiguangwusgwbox_n3

Detection & IOCsextracted from sources · hover to see the quote

path/eshell
urlhttps://www.notion.so/sgwbox-NAS-N3-Directory-Traversal-2be6cf4e528a802a9c0ad6f01b75694e
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell COPY Parameter Directory Traversal Attempt (CVE-2025-14704)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; fast_pattern; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|COPY|22|"; distance:0; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Directory-Traversal-2be6cf4e528a802a9c0ad6f01b75694e; reference:cve,2025-14704; classtype:attempted-admin; sid:2066579; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2025_14704, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit uses HTTP POST method targeting the /eshell API endpoint on the sgwbox N3 device.
  • Request body must contain the JSON key 'cmd' (hex |22|cmd|22 3a|) indicating a command dispatch structure.
  • The specific command triggered is 'COPY' (hex |22|COPY|22|), which is the vector for directory traversal in the params field.
  • Directory traversal payload appears in the 'params' field of the JSON body; PCRE matches sequences of dot-dot (../ or URL-encoded equivalents) repeated at least twice.
  • Attack is conducted over plaintext HTTP (not TLS); deploy detection at perimeter and internal network boundaries.
  • MITRE ATT&CK mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
  • ·The affected function within /eshell is described as unknown; the exact internal code path exploited has not been fully disclosed.
  • ·The vendor (Shiguangwu) was notified prior to disclosure but did not respond; no official patch or mitigation is available from the vendor.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.