CVE-2025-14704

HighPublic PoC

Published: 15 December 2025

Published

15 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0042 62.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit…

has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal vulnerability by requiring validation of API inputs in /eshell to reject malicious path sequences like '../'.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection at external interfaces protects the publicly accessible API endpoint from remote unauthenticated path traversal attacks via inspection and filtering.

AC-6 Least Privilege partial match

prevent

Least privilege limits the file system access of the vulnerable API component, reducing the impact of successful directory traversal exploitation.

Security SummaryAI

CVE-2025-14704 is a path traversal vulnerability (CWE-22) in Shiguangwu sgwbox N3 version 2.0.25. The issue affects an unknown function in the /eshell file of the API component, allowing manipulation that enables directory traversal attacks.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), meaning it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation results in low-level impacts on confidentiality, integrity, and availability, such as unauthorized file access, modification, or disruption via path traversal.

Advisories from VulDB indicate the vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are referenced. The exploit has been made public, increasing the risk of active use. Additional details appear in VulDB entries (ctiid.336421, id.336421, submit.706915) and a Notion page on sgwbox NAS N3 directory traversal. The CVE was published on 2025-12-15.

Details

CWE(s): CWE-22

Affected Products

sgwbox

n3 firmware

≤ 2.0.25

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1006 Direct Volume Access Stealth

Adversaries may directly access a volume to bypass file access controls and file system monitoring.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal in unauthenticated public-facing API (/eshell) enables exploitation of public-facing application (T1190), arbitrary file reads for data from local system (T1005), and direct volume access bypassing restrictions (T1006) as mapped by advisory; also facilitates arbitrary writes.

References

https://vuldb.com/?ctiid.336421
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.336421
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.706915
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.notion.so/sgwbox-NAS-N3-Directory-Traversal-2be6cf4e528a802a9c0ad6f01b75694e?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com