CVE-2025-14499

8.8 HIGH
Published: December 23, 2025 Modified: December 23, 2025
View on NVD

Description

IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://support.icewarp.com/hc/en-us/community/posts/40040542307729-EPOS-Update-2-build-8-14-2-0-8
Source: zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-25-1071/
Source: zdi-disclosures@trendmicro.com

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.8 / 10.0
EPSS (Exploit Probability)
0.2%
38th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3