Vulnerability Description
A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zspace | Q2C Nas Firmware | <= 1.1.0210050 |
| Zspace | Q2C Nas | - |
Related Weaknesses (CWE)
References
- https://vuldb.com/?ctiid.334490VDB Entry
- https://vuldb.com/?id.334490VDB Entry
- https://vuldb.com/?submit.697144VDB Entry
- https://www.notion.so/2af6cf4e528a80258f60fa529c48d291ExploitThird Party Advisory
FAQ
What is CVE-2025-14108?
CVE-2025-14108 is a vulnerability with a CVSS score of 8.8 (HIGH). A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handle...
How severe is CVE-2025-14108?
CVE-2025-14108 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14108?
Check the references section above for vendor advisories and patch information. Affected products include: Zspace Q2C Nas Firmware, Zspace Q2C Nas.