CVE-2025-14107
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-16

Assigner: VulDB

Description
A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-16
Generated
2026-05-07
AI Q&A
2025-12-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-14107
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zspace q2c_nas_firmware to 1.1.0210050 (inc)
zspace q2c_nas *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can be performed by monitoring HTTP POST requests to the endpoint /v2/file/safe/status for suspicious or malformed 'safe_dir' parameter values that may indicate command injection attempts. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns. Specific commands are not provided in the resources, but inspecting HTTP POST traffic targeting /v2/file/safe/status and looking for unusual characters or payloads in 'safe_dir' is recommended. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include discontinuing use of the affected ZSPACE Q2C NAS firmware version 1.1.0210050 or earlier, as no official patches or mitigations are available. Users are advised to replace the affected product with alternatives. Additionally, restricting network access to the device, especially blocking external HTTP POST requests to /v2/file/safe/status, and deploying network-level protections such as firewalls or WAFs to detect and block command injection attempts can help reduce risk. [1]


Can you explain this vulnerability to me?

This vulnerability is a security flaw in ZSPACE Q2C NAS up to version 1.1.0210050, specifically in the function zfilev2_api.SafeStatus of the HTTP POST Request Handler component. It occurs due to manipulation of the argument safe_dir, which leads to command injection. This means an attacker can remotely execute arbitrary commands on the affected system by exploiting this flaw.


How can this vulnerability impact me? :

The vulnerability allows remote attackers to perform command injection, which can lead to unauthorized execution of commands on the affected system. This can compromise the confidentiality, integrity, and availability of the system, potentially allowing attackers to take control, disrupt services, or access sensitive data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart