CVE-2025-15133
Command Injection in ZSPACE Z4Pro+ HTTP POST Handler
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zspace | z4pro+ | 1.0.0440024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ZSPACE Z4Pro+ 1.0.0440024, specifically in the function zfilev2_api_CloseSafe within the HTTP POST Request Handler component. It allows an attacker to perform command injection by manipulating this function, potentially executing arbitrary commands on the affected system. The attack can be launched remotely, and an exploit is publicly available.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker to execute arbitrary commands on the affected system, which may lead to unauthorized access, data compromise, system disruption, or further exploitation of the environment. This can result in loss of confidentiality, integrity, and availability of the system and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of CVE-2025-15133 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for suspicious POST requests to the endpoint /v2/file/safe/close with unusual or specially crafted 'safe_dir' parameters that may contain command injection payloads. Since the vulnerability involves command injection via the 'safe_dir' parameter, inspecting logs for POST requests to this endpoint with suspicious input is recommended. A possible detection command on the affected device could be to check running processes for injected commands, for example: `ps -ef | grep gocryptfs | grep -v grep | grep <suspicious_safe_dir>` to identify if malicious commands have been executed. Network monitoring tools can also be used to detect unusual POST requests to /v2/file/safe/close. However, no specific detection tools or signatures are provided. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint /v2/file/safe/close to trusted users only, such as by implementing network-level access controls or firewall rules to block unauthorized remote POST requests. Since no official patches or fixes are available, it is recommended to replace the affected product or firmware version 1.0.0440024 with a secure version once available. Additionally, monitoring for exploitation attempts and disabling or limiting the use of the vulnerable functionality can reduce risk. [1, 2]