CVE-2025-14706

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Shiguangwu sgwbox N3 devices through command injection in the NETREBOOT Interface. Attackers can exploit this without authentication to gain full control of affected systems. All users running sgwbox N3 version 2.0.25 are affected.

💻 Affected Systems

Products:
  • Shiguangwu sgwbox N3
Versions: 2.0.25
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the NETREBOOT Interface component via /usr/sbin/http_eshell_server. All default installations are vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, exfiltrate data, pivot to other systems, or render the device unusable.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or unauthorized access to network resources.

🟢

If Mitigated

Limited impact if device is isolated from internet and internal networks with strict network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details are available, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacement of affected devices.

🔧 Temporary Workarounds

Network Isolation

linux

Block access to the NETREBOOT Interface from untrusted networks

iptables -A INPUT -p tcp --dport [NETREBOOT_PORT] -j DROP
ufw deny [NETREBOOT_PORT]

Service Disablement

linux

Disable the vulnerable http_eshell_server service

systemctl stop http_eshell_server
systemctl disable http_eshell_server
chmod -x /usr/sbin/http_eshell_server

🧯 If You Can't Patch

  • Immediately isolate affected devices from internet and critical internal networks
  • Implement strict network segmentation and monitor for suspicious outbound connections

🔍 How to Verify

Check if Vulnerable:

Check if /usr/sbin/http_eshell_server exists and device version is 2.0.25

Check Version:

cat /etc/version | grep sgwbox

Verify Fix Applied:

Verify http_eshell_server service is stopped and inaccessible on network

📡 Detection & Monitoring

Log Indicators:

  • Unusual commands in system logs
  • Suspicious processes spawned from http_eshell_server
  • Failed authentication attempts to NETREBOOT Interface

Network Indicators:

  • Unexpected outbound connections from sgwbox device
  • Traffic to/from NETREBOOT port with command-like patterns

SIEM Query:

source="sgwbox" AND (process="http_eshell_server" OR port="[NETREBOOT_PORT]") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2025-14706
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: December 15, 2025
Last Updated: February 8, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14706, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-14705 9.8

This vulnerability allows remote attackers to execute arbitrary commands on Shiguangwu sgwbox N3 NAS...

Same vulnerability type (CWE-74)