CVE-2025-14187

7.2 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in UGREEN DH2100+ NAS devices allows remote attackers to execute arbitrary code by manipulating the 'path' parameter in the backup creation function. This affects all users running nas_svr component versions up to 5.3.0.251125. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

• UGREEN DH2100+

Versions: up to 5.3.0.251125

Operating Systems: NAS firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the nas_svr component specifically in the backup creation endpoint

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, ransomware deployment, or device becoming part of botnet

🟠

Likely Case

Remote code execution allowing attacker to gain shell access, install malware, or pivot to internal network

🟢

If Mitigated

Attack blocked at network perimeter or device isolated, preventing exploitation

🌐 Internet-Facing: HIGH - Attack can be executed remotely and public exploit exists

🏢 Internal Only: HIGH - Even internally, the vulnerability allows remote exploitation within network

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been made publicly available according to references, making attacks more likely

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 5.3.0.251125

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Log into UGREEN NAS admin interface
2. Navigate to System Settings > Firmware Update
3. Check for and apply latest firmware update
4. Reboot device after update completes

🔧 Temporary Workarounds

Disable remote backup functionality

all

Temporarily disable the vulnerable backup creation endpoint

Network segmentation

all

Isolate NAS device from internet and restrict internal access

🧯 If You Can't Patch

• Immediately isolate device from internet and restrict to necessary internal access only
• Implement strict network monitoring and IDS/IPS rules for suspicious traffic to NAS

🔍 How to Verify

Check if Vulnerable:

Copy

Check firmware version in NAS admin interface under System Information

Check Version:

Copy

Check via web interface: System Settings > Firmware Information

Verify Fix Applied:

Copy

Confirm firmware version is greater than 5.3.0.251125

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to /v1/file/backup/create with long path parameters
• Multiple failed backup creation attempts
• Unexpected process execution or system reboots

Network Indicators:

• Unusual outbound connections from NAS device
• Traffic patterns suggesting reverse shells
• Exploit kit traffic to NAS IP

SIEM Query:

Copy

source="nas_logs" AND (uri="/v1/file/backup/create" AND (path_length>100 OR contains(path,"..")))

📊 Metadata

CVE ID: CVE-2025-14187

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.06% exploit probability (17.6th percentile)

Published: December 7, 2025

Last Updated: January 28, 2026

🔗 References

• https://vuldb.com/?ctiid.334607
• https://vuldb.com/?id.334607
• https://vuldb.com/?submit.698652
• https://www.notion.so/2b16cf4e528a80bbb5fdeff145f110ec

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14187, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)

CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)

CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)