CVE-2025-14108
Published: 05 December 2025
Description
A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection.…
more
It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing the safe_dir argument in the vulnerable HTTP POST endpoint.
Ensures timely installation of the vendor's planned patch to remediate the specific command injection flaw.
Boundary protection with web application firewalls can inspect and block malicious HTTP requests exploiting the safe_dir injection.
Security SummaryAI
CVE-2025-14108 is a command injection vulnerability affecting ZSPACE Q2C NAS versions up to 1.1.0210050. The issue resides in the zfilev2_api.OpenSafe function, exposed via the /v2/file/safe/open endpoint in the HTTP POST Request Handler component. By manipulating the safe_dir argument, an attacker can inject arbitrary commands, as classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows full compromise, granting high impacts on confidentiality, integrity, and availability, such as executing arbitrary system commands on the NAS device. A public exploit is available, increasing the risk of widespread abuse.
VulDB advisories (e.g., ctiid.334490, id.334490) detail the issue, noting that the vendor was notified early, confirmed the vulnerability, and plans to release a technical fix. No specific patch version or immediate workaround is mentioned in the provided references. Security practitioners should monitor for updates from ZSPACE and restrict access to the affected endpoint where possible. The exploit's public availability heightens the urgency for affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web API enables arbitrary remote command execution by low-priv authenticated users, facilitating exploitation of remote services (T1210), privilege escalation (T1068), and Unix shell command execution (T1059.004) on the NAS.