cbcvebase.
CVE-2025-14708
published 2025-12-15

CVE-2025-14708: A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
5.70%
92.0th percentile
A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
sgwboxn3_firmware<= 2.0.25
shiguangwusgwbox_n3

Detection & IOCsextracted from sources · hover to see the quote

path/usr/sbin/http_eshell_server
url/eshell
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell WIREDCFGGET Parameter Command Injection Attempt (CVE-2025-14708)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|WIREDCFGGET|22|"; fast_pattern; within:20; content:"|22|params|22 3a|"; pcre:"/^[^,}$]{100,}(?:,|}|$)/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a808b9f71fe434929c73b; reference:cve,2025-14708; classtype:web-application-attack; sid:2066586; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2025_14708, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is HTTP POST to /eshell endpoint; look for JSON body containing the keys 'cmd', 'WIREDCFGGET', and 'params' in that order
  • Buffer overflow trigger is a 'params' value of 100 or more characters (not containing comma or closing brace), detectable via PCRE on the request body
  • Attack targets plaintext HTTP only (tls_state plaintext); TLS-encrypted traffic to the device would not match
  • Deploy detection at both Perimeter and Internal network boundaries, as the attack can be launched remotely
  • The vulnerable binary is /usr/sbin/http_eshell_server on Shiguangwu sgwbox N3 version 2.0.25; monitor for unexpected crashes or restarts of this process
  • ·The vendor (Shiguangwu) was contacted prior to disclosure but did not respond; no official patch or mitigation is available, so detection/blocking is the primary defensive option
  • ·The Snort/Suricata rule (ET sid:2066586) is scoped to plaintext HTTP; if the eshell interface is ever exposed over HTTPS, the rule will not fire and separate TLS-inspection coverage is needed

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.