CVE-2025-14108
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zspace | q2c_nas_firmware | to 1.1.0210050 (inc) |
| zspace | q2c_nas | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection issue in the ZSPACE Q2C NAS device up to version 1.1.0210050. It occurs in the function zfilev2_api.OpenSafe within the HTTP POST Request Handler component. By manipulating the safe_dir argument in the /v2/file/safe/open endpoint, an attacker can execute arbitrary commands remotely.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to full compromise of the system. This can result in unauthorized access, data theft, disruption of services, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary commands with root privileges, impacting the confidentiality, integrity, and availability of the affected system. Such a compromise could lead to unauthorized access or data breaches, which would negatively affect compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity. However, no explicit mention of compliance impact is provided in the resources. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring HTTP POST requests to the endpoint /v2/file/safe/open for suspicious or malformed safe_dir parameter values that may contain command injection payloads. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns. Specific commands to detect exploitation attempts are not provided in the resources. However, inspecting HTTP logs for POST requests to /v2/file/safe/open with unusual safe_dir arguments or using tools like curl or wget to test the endpoint with crafted inputs may help identify attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or vendor-provided mitigations available for this vulnerability. Immediate mitigation steps include discontinuing use of the affected ZSPACE Q2C NAS firmware version up to 1.1.0210050 and replacing the affected product with a secure alternative. Additionally, restricting network access to the vulnerable endpoint, implementing strict input validation or filtering at network perimeter devices, and monitoring for exploitation attempts are recommended interim measures. [1]