Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical OS Command Injection vulnerability in IceWarp, Patch Immediately!
Image
Publié : 20/02/2026
- Last update: 20/02/2026
- Affected software:
→ IceWarp- Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CVE/CVSS
→ CVE-2025-14500: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-14500
Risks
IceWarp issued an urgent warning about a critical vulnerability discovered in their product that affects both Windows and Linux deployments. This vulnerability allows an unauthenticated, remote attacker to gain unauthorized access and execute arbitrary code on the host server. This has a high impact on the Confidentiality, Integrity and Availability of the system.
Description
The core of the recent critical disclosures stems from an OS Command Injection Vulnerability (CWE-78).
The specific flaw exists within the handling of the X-File-Operation header in IceWarp instances. The vulnerability occurs because the application fails to properly validate and neutralize user-supplied string data before passing it to a system call. Because authentication is not required, any remote attacker can send a maliciously crafted HTTP request to execute arbitrary OS commands in the context of the SYSTEM or root user.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. The vendor recommends updating to the following patched versions:
• IceWarp Epos Update 2: Upgrade to version 14.2.0.9 or newer. (Latest version of Update 2: 14.2.0.12)
• IceWarp Epos Update 1: Upgrade to version 14.1.0.19 or newer. (Latest version of Update 1: 14.1.0.20)
• IceWarp Epos (1st generation): Upgrade to version 14.0.0.18 or newer. (Latest version of Epos: 14.0.0.18)
• Deep Castle and older versions: Upgrade to version 13.0.3.13 or newer. (Latest version of Deep Castle: 13.0.3.13)
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
→ IceWarp warning - https://support.icewarp.com/hc/en-us/articles/39702252317713-IceWarp-Security-Update
→ IceWarp release notes - <https://support.icewarp.com/hc/en-us/community/topics/360001047354-RELEASE-NOTES >