CVE-2025-5952
BaseFortify
Publication date: 2025-06-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5952 is a critical vulnerability in Zend.To versions up to 6.10-6 Beta. It occurs in the NSSDropoff.php file where the exec() function is called with a file name argument that is not properly sanitized. Specifically, the tmp_name parameter from file uploads, which can be manipulated by an attacker, is passed directly to exec(), allowing remote attackers to inject and execute arbitrary operating system commands without authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to execute arbitrary system commands on the affected server. This can lead to full compromise of the system, impacting confidentiality, integrity, and availability. Attackers can remotely control the server, potentially stealing data, modifying or deleting files, or disrupting services. The exploit is publicly available and easy to perform, increasing the risk of exploitation. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable NSSDropoff.php file in Zend.To versions up to 6.10-6 Beta. One method is to use Google dorking with queries like "inurl:NSSDropoff.php" to identify potentially vulnerable targets. On your system, you can verify the version of Zend.To installed and inspect the NSSDropoff.php file for the vulnerable exec() calls handling the file_1 or tmp_name parameters. Network detection might involve monitoring for unusual or unauthorized file upload requests that manipulate the tmp_name parameter or detecting execution of unexpected OS commands originating from the web server process. Specific commands are not provided in the resources, but searching for the file and version can be done with commands like `find /path/to/webroot -name NSSDropoff.php` and checking the Zend.To version via its interface or package manager. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Zend.To to version 6.10-7 or later, as this version addresses the issue by fixing the improper sanitization in NSSDropoff.php. Until the upgrade can be applied, restricting access to the vulnerable NSSDropoff.php file, disabling file uploads if possible, or applying web application firewall (WAF) rules to block malicious payloads targeting the tmp_name parameter may help reduce risk. However, the recommended and definitive mitigation is to update to the fixed version. [2, 3]