CVE-2025-14108
published 2025-12-05CVE-2025-14108: A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
9.23%
94.7th percentile
A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zspace | q2c_nas | — | — |
| zspace | q2c_nas_firmware | <= 1.1.0210050 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://www.notion.so/ZSPACE-NAS-Command-Injection-2af6cf4e528a80258f60fa529c48d291
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/v2/file/safe/open"; fast_pattern; http.request_body; content:"safe_dir|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/ZSPACE-NAS-Command-Injection-2af6cf4e528a80258f60fa529c48d291; reference:cve,2025-14108; classtype:attempted-admin; sid:2066184; rev:1; metadata:affected_product ZSPACE, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_08, cve CVE_2025_14108, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target HTTP POST requests to the exact URI /v2/file/safe/open (URI byte size is exactly 18 characters) on ZSPACE NAS devices.
- →Inspect the HTTP POST request body for the parameter 'safe_dir=' (URL-encoded as 'safe_dir|3d|') followed by shell injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The attack is plaintext (non-TLS); deploy detection at the network perimeter and internally targeting the destination IP running the ZSPACE NAS service.
- →The vulnerability is remotely exploitable via HTTP POST; the exploit is publicly available. Classify detections as attempted-admin / Major severity aligned with MITRE T1190 (Exploit Public-Facing Application).
- ·The Snort/Suricata rule (SID 2066184) targets plaintext HTTP only; if the ZSPACE management interface is exposed over HTTPS, the PCRE-based body inspection will not fire and additional TLS-inspection capability is required.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108)
suricata·2025-12-08·CVSS 7.4
CVE-2025-14108 [HIGH] ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108)
ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZSPACE open safe_dir Parameter Command Injection Attempt (CVE-2025-14108)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/v2/file/safe/open"; fast_pattern; http.request_body; content:"safe_dir|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.notion.so/ZSPACE-NAS-Command-Injection-2af6cf4e528a80258f60fa529c48d291; reference:cve,2025-14108; classtype:attempted-admin; sid:2066184; rev:1; metadata:affected_product ZSPACE, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_08, cve CVE_2025_1410
No public exploits indexed.
No writeups or analysis indexed.
2025-12-05
Published