cbcvebase.
CVE-2025-14706
published 2025-12-15

CVE-2025-14706: A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.49%
96.6th percentile
A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
sgwboxn3_firmware<= 2.0.25
shiguangwusgwbox_n3

Detection & IOCsextracted from sources · hover to see the quote

path/usr/sbin/http_eshell_server
url/eshell
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell NETREBOOT Parameter Command Injection Attempt (CVE-2025-14706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|NETREBOOT|22|"; fast_pattern; within:20; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a807cb619f9d2e1bcda20; reference:cve,2025-14706; classtype:attempted-admin; sid:2066581; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2025_14706, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|cmd|22 3a| ... |22|NETREBOOT|22| ... |22|params|22 3a|
  • Exploit targets HTTP POST requests to the /eshell URI on the sgwbox N3 device. Look for POST /eshell with a JSON body containing 'cmd':'NETREBOOT' and a 'params' field carrying shell metacharacters (;, newline, backtick, pipe, $) for command injection.
  • The injection payload is delivered via the 'params' field of the NETREBOOT command in the JSON body. Shell injection characters to watch for include: semicolon (;/%3B), newline (%0A/\n), backtick (`/%60), pipe (|/%7C), and dollar sign ($/%24).
  • The vulnerability is in the binary /usr/sbin/http_eshell_server on the sgwbox N3 device. Forensic investigation should focus on this process for signs of unexpected child process spawning.
  • Attack is unauthenticated and remotely exploitable over plaintext HTTP (tls_state: plaintext). Perimeter and internal network monitoring are both recommended deployment contexts for the Snort/Suricata rule (ET SID 2066581).
  • ·The exploit is publicly available. The vendor (Shiguangwu) was contacted but did not respond, meaning no official patch exists. Affected version is sgwbox N3 2.0.25; patch status is unknown.
  • ·The Snort/Suricata rule (ET SID 2066581) only covers plaintext HTTP traffic. If the eshell interface is ever served over TLS/HTTPS, this rule will not fire and additional SSL inspection or a separate rule would be required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.