CVE-2025-14108
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-16

Assigner: VulDB

Description
A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14108
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zspace q2c_nas_firmware to 1.1.0210050 (inc)
zspace q2c_nas *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection issue in the ZSPACE Q2C NAS device up to version 1.1.0210050. It occurs in the function zfilev2_api.OpenSafe within the HTTP POST Request Handler component. By manipulating the safe_dir argument in the /v2/file/safe/open endpoint, an attacker can execute arbitrary commands remotely.

Impact Analysis

The vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to full compromise of the system. This can result in unauthorized access, data theft, disruption of services, or further attacks within the network.

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary commands with root privileges, impacting the confidentiality, integrity, and availability of the affected system. Such a compromise could lead to unauthorized access or data breaches, which would negatively affect compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity. However, no explicit mention of compliance impact is provided in the resources. [1, 2]

Detection Guidance

Detection can be performed by monitoring HTTP POST requests to the endpoint /v2/file/safe/open for suspicious or malformed safe_dir parameter values that may contain command injection payloads. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns. Specific commands to detect exploitation attempts are not provided in the resources. However, inspecting HTTP logs for POST requests to /v2/file/safe/open with unusual safe_dir arguments or using tools like curl or wget to test the endpoint with crafted inputs may help identify attempts. [1, 2]

Mitigation Strategies

There are no known patches or vendor-provided mitigations available for this vulnerability. Immediate mitigation steps include discontinuing use of the affected ZSPACE Q2C NAS firmware version up to 1.1.0210050 and replacing the affected product with a secure alternative. Additionally, restricting network access to the vulnerable endpoint, implementing strict input validation or filtering at network perimeter devices, and monitoring for exploitation attempts are recommended interim measures. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart