CVE-2025-14108

Exploit

EPSS 0.39%
Veröffentlicht 05.12.2025 22:15:49
Zuletzt bearbeitet 16.12.2025 08:15:52
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zspace ≫ Q2c Nas Firmware Version <= 1.1.0210050

Zspace ≫ Q2c Nas Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.596

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	7.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://vuldb.com/?ctiid.334490

VDB Entry

https://vuldb.com/?id.334490

VDB Entry

https://vuldb.com/?submit.697144

VDB Entry

https://www.notion.so/2af6cf4e528a80258f60fa529c48d291

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-14108

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14108

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14108

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14108