CVE-2025-14107

CVE-2025-14107 is a command injection vulnerability affecting ZSPACE Q2C NAS devices running versions up to 1.1.0210050. The flaw resides in the zfilev2_api.SafeStatus function, exposed via the /v2/file/safe/status endpoint in the HTTP POST Request Handler component. By manipulating the safe_dir argument in a POST request, an attacker can inject arbitrary commands, as classified under CWE-74 (injection) and CWE-77 (command injection specifically). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with significant impacts on confidentiality, integrity, and availability.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary command execution on the underlying system, potentially leading to full compromise including data exfiltration, modification, or disruption of NAS services. An exploit has been publicly released, increasing the risk of widespread abuse.

VulDB advisories (e.g., ctiid.334489, id.334489) detail the issue, noting that the vendor was notified early, confirmed the vulnerability, and plans to release a technical fix. No patches are available as of the CVE publication on 2025-12-05, so practitioners should restrict access to the affected endpoint, monitor for anomalous POST requests to /v2/file/safe/status, and prepare for upgrades. Additional details are available in the referenced Notion document.