cbcvebase.
CVE-2025-14106
published 2025-12-05

CVE-2025-14106: A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.68%
95.2th percentile
A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Affected

2 ranges
VendorProductVersion rangeFixed in
zspaceq2c_nas
zspaceq2c_nas_firmware<= 1.1.0210050

Detection & IOCsextracted from sources · hover to see the quote

url/v2/file/safe/close
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZSPACE close safe_dir Parameter Command Injection Attempt (CVE-2025-14106)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/v2/file/safe/close"; fast_pattern; http.request_body; content:"safe_dir|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/ZSPACE-Q2C-NAS-Unauthorized-RCE-2af6cf4e528a80bab847dcc1fb677590; reference:cve,2025-14106; classtype:attempted-admin; sid:2066185; rev:1; metadata:affected_product ZSPACE, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_08, cve CVE_2025_14106, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Match HTTP POST requests to the exact URI /v2/file/safe/close (bsize:19) with a request body containing 'safe_dir=' followed by shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The injection point is the 'safe_dir' parameter in the POST body of the /v2/file/safe/close endpoint; the vulnerable function is zfilev2_api.CloseSafe.
  • Detection applies to plaintext (non-TLS) traffic; deploy at perimeter and internal network boundaries targeting destination IP.
  • The exploit is publicly available; treat any matching traffic as high-confidence attempted admin-level compromise (MITRE T1190 - Exploit Public-Facing Application).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.