CVE-2025-14500 – IceWarp – X-File-Operation Command Injection Remote Code Execution Vulnerability

A patch addresses CVE-2025-14500, a critical remote code execution vulnerability in the IceWarp collaboration and email platform. The issue stems from improper validation of the X-File-Operation HTTP header, which allows attackers to inject operating system commands. Because the vulnerable component executes the user-supplied input directly in a system call, a remote attacker can run arbitrary commands on the server.

The CVSS score is 9.8, which is Critical severity.

This vulnerability can be exploited remotely without authentication. Successful exploitation allows attackers to execute commands with SYSTEM or root-level privileges, potentially exposing email systems, stored files, conferencing services, and authentication data within affected environments. A vendor patch has been released and should be applied immediately to all exposed servers.