cbcvebase.
CVE-2025-14705
published 2025-12-15

CVE-2025-14705: A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.61%
96.2th percentile
A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
sgwboxn3_firmware<= 2.0.25
shiguangwusgwbox_n3

Detection & IOCsextracted from sources · hover to see the quote

url/eshell
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|SHARESERVERCREATE|22|"; fast_pattern; within:30; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a80d69da5d6d17456a183; reference:cve,2025-14705; classtype:attempted-admin; sid:2066580; rev:1;)
bytes
|22|cmd|22 3a| with |22|SHARESERVERCREATE|22| within 30 bytes, followed by |22|params|22 3a|
  • Exploit traffic is plaintext HTTP POST to /eshell endpoint; look for JSON body containing 'cmd':'SHARESERVERCREATE' with a 'params' field carrying shell metacharacters (;, newline, backtick, pipe, $) — either raw or URL-encoded.
  • The injection point is the 'params' argument of the SHARESERVERCREATE command; any of the following characters/sequences in that field indicate exploitation: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
  • Attack is remotely initiated and the exploit has been publicly disclosed; prioritise perimeter and internal network monitoring for inbound HTTP POST requests to /eshell on NAS/networking devices.
  • ·The Snort/Suricata rule targets plaintext HTTP only (tls_state plaintext); if the sgwbox admin interface is served over HTTPS, TLS inspection must be enabled on the monitoring sensor for this rule to fire.
  • ·The vendor (Shiguangwu) did not respond to disclosure; no patch is confirmed available, making detection and network-level blocking the primary mitigation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.