cbcvebase.
CVE-2025-14107
published 2025-12-05

CVE-2025-14107: A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.78%
95.3th percentile
A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Affected

2 ranges
VendorProductVersion rangeFixed in
zspaceq2c_nas
zspaceq2c_nas_firmware<= 1.1.0210050

Detection & IOCsextracted from sources · hover to see the quote

url/v2/file/safe/status
path/v2/file/safe/status
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZSPACE status safe_dir Parameter Command Injection Attempt (CVE-2025-14107)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/v2/file/safe/status"; fast_pattern; http.request_body; content:"safe_dir|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/ZSPACE-NAS-Command-Injection-2af6cf4e528a8001935bcdd9e77f1ebc; reference:cve,2025-14107; classtype:attempted-admin; sid:2066186; rev:1; metadata:affected_product ZSPACE, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_08, cve CVE_2025_14107, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target HTTP POST requests to the exact URI path /v2/file/safe/status (URI length is exactly 20 bytes) on ZSPACE Q2C NAS devices.
  • Inspect the POST request body for the parameter 'safe_dir=' followed by shell injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The exploit is public and targets plaintext HTTP traffic; deploy detection at both perimeter and internal network boundaries.
  • The vulnerable function is zfilev2_api.SafeStatus; any process or log activity referencing this function on ZSPACE NAS versions up to 1.1.0210050 should be treated as suspicious.
  • Reference the public exploit write-up at the Notion URL for additional payload samples and reproduction steps.
  • ·The Snort/ET rule (sid:2066186) only covers plaintext HTTP traffic; HTTPS-wrapped traffic to the same endpoint will not be detected by this signature.
  • ·The URI bsize match is exactly 20 bytes; any URL encoding or path variation of /v2/file/safe/status that changes the byte length will evade the fast_pattern match.
  • ·Affected versions are ZSPACE Q2C NAS up to 1.1.0210050; a technical fix is planned but not yet released at time of disclosure.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.