cbcvebase.
CVE-2025-14707
published 2025-12-15

CVE-2025-14707: A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.49%
96.6th percentile
A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. Performing manipulation of the argument params results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
sgwboxn3_firmware<= 2.0.25
shiguangwusgwbox_n3

Detection & IOCsextracted from sources · hover to see the quote

path/usr/sbin/http_eshell_server
url/eshell
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell DOCKERARMI Parameter Command Injection Attempt (CVE-2025-14707)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|DOCKERARMI|22|"; fast_pattern; within:20; content:"|22|params|22 3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a805f9b94f7b8799c77a8; reference:cve,2025-14707; classtype:attempted-admin; sid:2066588; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2025_14707, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic uses HTTP POST to the /eshell endpoint with a JSON body containing the 'cmd' key set to 'DOCKERARMI' and a 'params' key whose value includes shell injection metacharacters (;, newline, backtick, pipe, $).
  • The injection point is the 'params' argument passed to the DOCKERARMI command handler inside the DOCKER feature of the sgwbox N3 device; look for URL-encoded or raw shell metacharacters (;, %3B, %0A, `, %60, |, %7C, $, %24) immediately following the params value.
  • Attack is plaintext (non-TLS) and targets the device directly; deploy detection at the network perimeter and internally.
  • The exploit is publicly available; treat any POST to /eshell with DOCKERARMI in the body as high-confidence attempted admin compromise (MITRE T1190 – Exploit Public-Facing Application).
  • ·The vulnerable binary path (/usr/sbin/http_eshell_server) is specific to Shiguangwu sgwbox N3 firmware version 2.0.25; other versions are unconfirmed.
  • ·The vendor did not respond to disclosure; no official patch or mitigation is available from the vendor at time of publication.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.