Critical OS Command Injection in IceWarp via `X-File-Operation` Header
Government cyber agencies in Belgium and Canada warned of a critical unauthenticated OS command injection vulnerability in IceWarp (tracked as CVE-2025-14500, CVSS 9.8) that can allow a remote attacker to execute arbitrary commands on affected servers. The flaw is described as CWE-78 and is tied to improper validation of user-controlled input in the X-File-Operation HTTP header, enabling code execution with high privileges (e.g., SYSTEM on Windows or root on Linux), with severe impact to confidentiality, integrity, and availability.
Both advisories urge immediate patching across impacted IceWarp product lines and versions, including IceWarp Epos Update 2, Epos Update 1, Epos (1st generation), and Deep Castle and older versions. Recommended fixed versions include upgrading to 14.2.0.12+ (Epos Update 2), 14.1.0.20+ (Epos Update 1), 14.0.0.18+ (Epos 1st gen), and 13.0.3.13+ (Deep Castle/older), alongside heightened monitoring and detection while remediation is underway.
Timeline
Feb 20, 2026
Belgian CCB warns of critical IceWarp OS command injection flaw
On 2026-02-20, Belgium's Centre for Cybersecurity issued a warning urging organizations to patch a critical OS command injection vulnerability in IceWarp immediately. The alert amplified the need to apply IceWarp's available fixes.
Feb 19, 2026
IceWarp publishes advisories for multiple product vulnerabilities
On 2026-02-19, IceWarp published security advisories covering vulnerabilities across multiple IceWarp products, including at least one critical flaw. The advisories said several IceWarp Epos release lines and the Deep Castle and older line were affected up to specified version thresholds, and provided security update information.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Unpatched internet-facing servers remain exposed to critical RCE flaws in Redis and IceWarp
A long-lived **Redis** memory-corruption flaw dubbed **RediShell** (`CVE-2025-49844`) was reported as a *use-after-free* bug that can lead to **remote code execution** under certain conditions. Although exploitation requires authentication, research noted that tens of thousands of Redis instances have historically been exposed to the internet without authentication enabled, increasing real-world risk; the issue was discovered by **Wiz** and demonstrated at *Pwn2Own Berlin* prior to public disclosure. Separately, **IceWarp** disclosed a critical **unauthenticated RCE** (`CVE-2025-14500`) caused by **OS command injection** in handling of the `X-File-Operation` HTTP header, impacting both Windows and Linux deployments and enabling arbitrary command execution as **SYSTEM/root**. The flaw was reported in September 2025 and fixed in October 2025 across supported product lines, but **Shadowserver** reported more than **1,200** internet-facing on-prem instances still unpatched and said it is notifying affected owners to upgrade.
1 months ago
Authenticated Command Injection Flaws Disclosed in Endian Firewall CGI Scripts
Two high-severity vulnerabilities, **CVE-2026-34794** and **CVE-2026-34791**, were disclosed in **Endian Firewall 3.3.25 and earlier**, exposing authenticated users to arbitrary operating system command execution through the `DATE` parameter in the `/cgi-bin/logs_ids.cgi` and `/cgi-bin/logs_proxy.cgi` endpoints. Both flaws were classified as **CWE-78** command injection issues and stem from incomplete regular-expression validation that lets attacker-controlled input influence a file path passed to a Perl `open()` call. The vulnerabilities carry the same **CVSS v3.1** score vector, `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating network-reachable exploitation with low attack complexity and low privileges, with high impact on confidentiality, integrity, and availability. The disclosures were submitted through **VulnCheck** and reference vendor support resources from **Endian**, highlighting that organizations running affected firewall versions should review exposure of these CGI components and prioritize remediation.
1 months ago
Weaver E-cology Flaws Expose Servers to Unauthenticated RCE and File Read
Weaver (Fanwei) **E-cology** deployments are affected by two high-severity vulnerabilities that allow unauthenticated attackers to compromise exposed servers. **`CVE-2026-22679`** impacts E-cology **10.0** versions prior to **20260312** and enables remote code execution through the `/papi/esearch/data/devops/dubboApi/debug/method` endpoint, where attacker-controlled `interfaceName` and `methodName` POST parameters can abuse exposed debug functionality to run arbitrary commands. The issue is classified as **CWE-306** and carries high impact across confidentiality, integrity, and availability, with exploitation observed in the wild by the Shadowserver Foundation. A second flaw, **`CVE-2022-50992`**, affects E-cology **9.5** versions prior to **10.52** and allows unauthenticated arbitrary file reads through the **`XmlRpcServlet`** XML-RPC interface. Attackers can supply file paths to the `WorkflowService.getAttachment` and `WorkflowService.LoadTemplateProp` methods to retrieve sensitive files from the server, including configuration data and database credentials. The vulnerability is mapped to **CWE-22**, and Shadowserver reported exploitation evidence dating back to 2022, underscoring continued exposure risk for internet-facing E-cology systems that remain unpatched.
2 days ago