CVE-2025-14705
published 2025-12-15CVE-2025-14705: A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
14.61%
96.2th percentile
A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sgwbox | n3_firmware | <= 2.0.25 | — |
| shiguangwu | sgwbox_n3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|SHARESERVERCREATE|22|"; fast_pattern; within:30; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a80d69da5d6d17456a183; reference:cve,2025-14705; classtype:attempted-admin; sid:2066580; rev:1;)
bytes
|22|cmd|22 3a| with |22|SHARESERVERCREATE|22| within 30 bytes, followed by |22|params|22 3a|
- →Exploit traffic is plaintext HTTP POST to /eshell endpoint; look for JSON body containing 'cmd':'SHARESERVERCREATE' with a 'params' field carrying shell metacharacters (;, newline, backtick, pipe, $) — either raw or URL-encoded.
- →The injection point is the 'params' argument of the SHARESERVERCREATE command; any of the following characters/sequences in that field indicate exploitation: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
- →Attack is remotely initiated and the exploit has been publicly disclosed; prioritise perimeter and internal network monitoring for inbound HTTP POST requests to /eshell on NAS/networking devices.
- ·The Snort/Suricata rule targets plaintext HTTP only (tls_state plaintext); if the sgwbox admin interface is served over HTTPS, TLS inspection must be enabled on the monitoring sensor for this rule to fire.
- ·The vendor (Shiguangwu) did not respond to disclosure; no patch is confirmed available, making detection and network-level blocking the primary mitigation.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)
suricata·2026-01-05·CVSS 8.9
CVE-2025-14705 [HIGH] ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)
ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell SHARESERVERCREATE Parameter Command Injection Attempt (CVE-2025-14705)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|SHARESERVERCREATE|22|"; fast_pattern; within:30; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a80d69da5d6d17456a183; reference:cve,2025-14705; classtype:attempted-admin; sid:2066580; rev:1; metadata:affected_product sgwbox, attack_target
No public exploits indexed.
No writeups or analysis indexed.
2025-12-15
Published