CVE-2025-14709
published 2025-12-15CVE-2025-14709: A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.16%
91.4th percentile
A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sgwbox | n3_firmware | <= 2.0.25 | — |
| shiguangwu | sgwbox_n3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/eshell
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|WIRELESSCFGGET|22|"; fast_pattern; within:30; content:"|22|params|22 3a|"; pcre:"/^[^,}$]{100,}(?:,|}|$)/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a80258b82dee0d6d1ebd1; reference:cve,2025-14709; classtype:web-application-attack; sid:2066587; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve CVE_2025_14709, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)bytes
|22|cmd|22 3a| ... |22|WIRELESSCFGGET|22| ... |22|params|22 3a|
- →Exploit traffic is HTTP (plaintext only, not TLS). Look for inbound POST requests to the /eshell URI on any port directed at internal/perimeter hosts.
- →The attack payload is delivered in the HTTP request body as a JSON-like structure containing the keys 'cmd', 'WIRELESSCFGGET', and 'params'. The 'params' value will be abnormally long (100+ characters with no comma or closing brace) to trigger the buffer overflow.
- →The vulnerable component is the WIRELESSCFGGET interface of the binary /usr/sbin/http_eshell_server. Presence of this binary on a device confirms the affected attack surface. ↗
- →The exploit has been publicly disclosed. Treat any POST to /eshell with a large 'params' field as high-confidence exploitation attempt (Snort SID 2066587). ↗
- ·The Snort rule targets only plaintext HTTP traffic. If the sgwbox device is ever configured to serve the eshell interface over HTTPS/TLS, this rule will not fire and additional TLS-inspection coverage would be required.
- ·The vendor (Shiguangwu) did not respond to the disclosure. No patch is available; the only mitigation is network-level blocking of access to the /eshell endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709)
suricata·2026-01-05·CVSS 8.9
CVE-2025-14709 [HIGH] ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709)
ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS sgwbox eshell WIRELESSCFGGET Parameter Command Injection Attempt (CVE-2025-14709)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/eshell"; http.request_body; content:"|22|cmd|22 3a|"; content:"|22|WIRELESSCFGGET|22|"; fast_pattern; within:30; content:"|22|params|22 3a|"; pcre:"/^[^,}$]{100,}(?:,|}|$)/R"; reference:url,www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a80258b82dee0d6d1ebd1; reference:cve,2025-14709; classtype:web-application-attack; sid:2066587; rev:1; metadata:affected_product sgwbox, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_05, cve
No public exploits indexed.
No writeups or analysis indexed.
2025-12-15
Published