Critical Unauthenticated RCE Vulnerability in IceWarp Leaves 1,200 Servers Exposed
Take action: If you are using IceWarp, this is important. Unauthenticated attackers can take full control of your entire mail server without needing a password. Apply the latest IceWarp security updates to close this vulnerability. If possible, isolate the platform from the internet.
Learn More
Over 1,200 internet-facing IceWarp servers remain unpatched for a critical remote code execution flaw.
The flaw is tracked as CVE-2025-14500 (CVSS score 9.8) is an OS command injection vulnerability in the application's handling of the X-File-Operation HTTP header. The software fails to validate or neutralize user-supplied strings before passing them to a system call. An attacker can send a crafted HTTP request containing malicious commands within the header, which the server then executes with SYSTEM privileges on Windows or root privileges on Linux. This bypasses all authentication checks, allowing immediate code execution upon receipt of the malicious packet.
The Shadowserver Foundation is currently alerting owners of exposed instances, as the flaw provides a direct path to system-level compromise without requiring valid credentials or user interaction.
The vulnerability affects IceWarp versions from 11.0.0 through several recent builds across multiple product generations. The following versions are confirmed as vulnerable:
- IceWarp Epos Update 2 (versions prior to 14.2.0.9)
- IceWarp Epos Update 1 (versions prior to 14.1.0.19)
- IceWarp Epos 1st Generation (versions prior to 14.0.0.18)
- Deep Castle and older legacy versions (versions prior to 13.0.3.13)
A successful exploit grants attackers complete authority over the server, allowing them to compromise sensitive corporate communications, intellectual property, and PII by stealing emails, documents, and API credentials.
Organizations should immediately update their on-premises IceWarp instances to the latest secure builds. There are no workarounds, patching is the only fix for the issue.
