CVE-2025-15131
Command Injection in ZSPACE Z4Pro+ HTTP POST Handler
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zspace | z4pro+ | 1.0.0440024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ZSPACE Z4Pro+ 1.0.0440024, specifically in the function zfilev2_api_SafeStatus of the HTTP POST Request Handler component. It allows an attacker to perform command injection by manipulating the /v2/file/safe/status endpoint. The attack can be executed remotely, and the exploit has been made public.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker to inject and execute arbitrary commands on the affected system. This could lead to unauthorized control, data compromise, or disruption of service depending on the commands executed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for suspicious POST requests to the endpoint /v2/file/safe/status containing unusual or specially crafted safe_dir parameters that include shell command injection patterns such as $(...), backticks, or other special characters. Network IDS/IPS rules can be created to alert on POST requests to this endpoint with suspicious payloads. On the device itself, checking running processes for unexpected commands or network connections initiated by the NAS device may help. Since the vulnerability involves command injection via the safe_dir parameter, commands like the following could help detect exploitation attempts or presence of malicious directories: 1. Monitor HTTP POST requests to /v2/file/safe/status with tools like tcpdump or Wireshark filtering for POST to that path. 2. On the NAS device, list snapshot directories and check for suspicious directory names containing shell command syntax: `ls -l /sata*/snapshot/` 3. Search for processes related to gocryptfs with injected parameters: `ps -ef | grep gocryptfs | grep -v grep | grep -E '\$\(|`' 4. Monitor network connections that could indicate reverse shells, e.g., using netstat or ss: `netstat -anp | grep sh` Because the vulnerability is exploited by injecting commands into directory names, detection involves looking for abnormal directory names and unusual POST requests to the vulnerable endpoint. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Replace or upgrade the affected ZSPACE Z4Pro+ device firmware if a patch is available. Since no known countermeasures or mitigations have been published, replacing the affected product is recommended. 2. Restrict network access to the vulnerable endpoint /v2/file/safe/status by firewall rules or network segmentation to prevent remote exploitation. 3. Disable or restrict HTTP POST access to the vulnerable API endpoint if possible. 4. Monitor and audit the device for suspicious activity or signs of compromise. 5. Remove or quarantine any suspicious snapshot directories that may contain malicious payloads. Since the vulnerability allows remote command execution without authentication, limiting exposure and replacing the device or firmware is critical. [1, 2, 3]