Over 1,200 IceWarp servers still vulnerable to unauthenticated RCE flaw (CVE-2025-14500)

A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers.

According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update.

About CVE-2025-14500

IceWarp, developed by the Czech company of the same name, is a business communication and collaboration application that’s used as an alternative to more popular platforms like Microsoft 365 or Google Workspace.

CVE-2025-14500 is an OS command injection vulnerability that exists within the app’s handling of the X-File-Operation header. It affects both Windows and Linux deployments.

“The vulnerability occurs because the application fails to properly validate and neutralize user-supplied string data before passing it to a system call. Because authentication is not required, any remote attacker can send a maliciously crafted HTTP request to execute arbitrary OS commands in the context of the SYSTEM or root user,” Centre for Cybersecurity Belgium (CCB) explained.

The vulnerability was reported in September 2025 and fixed in October 2025 in both older and newer generations of the solution:

• IceWarp Epos Update 2 – version 14.2.0.9 or newer (which is currently 14.2.0.12)
• IceWarp Epos Update 1- version 14.1.0.19 or newer (currently 14.1.0.20)
• IceWarp Epos – version 14.0.0.18
• Deep Castle – version 13.0.3.13

Both cloud and on-premises instances were affected, but the patch was immediately deployed on the former.

Unfortunately, as shown by Shadowserver, some organizations still haven’t upgraded their on-premises instances to a fixed version.

Upgrade ASAP!

IceWarp support recently updated the initial alert to express the need for organizations to update their IceWarp instance as soon as possible (and to back up the entire server before they do it).

“Please note that you may be contacted by the state security authorities due to the severity of this vulnerability. Customers with an expired license will receive a new SAAS license for 1 month at no charge due to upgrade requirements,” the company said.

CCB also made sure to point out that “while patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.”

That said, there’s currently no reports of in-the-wild exploitation of CVE-2025-14500, though that may change soon.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!