CVE-2025-14106

CVE-2025-14106 is a command injection vulnerability in ZSPACE Q2C NAS versions up to 1.1.0210050. The issue affects the zfilev2_api.CloseSafe function, exposed via the /v2/file/safe/close endpoint in the HTTP POST Request Handler component. By manipulating the safe_dir argument, an attacker can inject arbitrary commands, as classified under CWE-74 (injection) and CWE-77 (command injection specifically). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables remote exploitation by authenticated users with low privileges (PR:L). Attackers can send a crafted HTTP POST request to the affected endpoint, injecting commands through the safe_dir parameter to execute arbitrary system commands on the NAS device. Successful exploitation grants high-level confidentiality, integrity, and availability impacts, potentially allowing full compromise of the device, data exfiltration, or further lateral movement.

Advisories from VulDB indicate that the vendor was notified early, confirmed the vulnerability's existence, and plans to release a technical fix, though no patch details or timeline are specified. An exploit is publicly available and may already be in use. Security practitioners should monitor for updates from the vendor and restrict access to the /v2/file/safe/close endpoint where possible.

Notable context includes the public availability of the exploit, increasing the risk of active exploitation against unpatched ZSPACE Q2C NAS deployments.