A critical remote code execution vulnerability, identified as CVE-2025-14709, exists in Shiguangwu sgwbox network devices. The flaw allows a remote, unauthenticated attacker to gain complete control of an affected device by sending a specially crafted request. Due to the public availability of an exploit and a lack of vendor response, this vulnerability poses an immediate and severe risk of device compromise and further network intrusion.

A buffer overflow vulnerability exists in the http_eshell_server binary located at /usr/sbin/http_eshell_server. The flaw is present in the handling of the WIRELESSCFGGET interface. A remote, unauthenticated attacker can send a malicious request manipulating the params argument with an overly long string, which overflows the buffer and allows for arbitrary code execution on the device with root privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows a remote attacker to gain full administrative control over the affected network device without any user interaction or authentication. This could lead to a complete compromise of the device's integrity, confidentiality, and availability. Potential consequences include eavesdropping on network traffic, using the compromised device as a pivot point to attack the internal network, installing persistent malware, or causing a complete denial of service. The public disclosure of an exploit significantly increases the likelihood of attack by both automated scanners and malicious actors.

Immediate Action: Organizations must immediately update affected Shiguangwu sgwbox devices to the latest version provided by the vendor to patch this vulnerability. After patching, it is crucial to monitor for any signs of exploitation attempts and review historical access logs for indicators of compromise.

Proactive Monitoring: Security teams should monitor network traffic for anomalous requests to the /usr/sbin/http_eshell_server service, specifically targeting the WIRELESSCFGGET interface with unusually long or malformed params arguments. Monitor affected devices for unexpected outbound connections, high CPU or memory usage, and the creation of unrecognized files or processes, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, implement strict access control lists (ACLs) on firewalls and routers to restrict access to the device's web management interface to only trusted IP addresses and dedicated management networks. Consider deploying an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking buffer overflow attack patterns targeting this specific vulnerability.

Public Exploit Available: true

This vulnerability requires immediate attention. The primary recommendation is to apply the vendor's patch as soon as it becomes available. Due to the vendor's unresponsiveness, organizations must assume a patch may not be forthcoming and should prioritize implementing compensating controls, such as network segmentation and access restriction, to shield the vulnerable interface from the internet. Given the availability of a public exploit, organizations should actively hunt for evidence of compromise within their networks.