CVE-2025-5952

Name of the Vulnerable Software and Affected Versions Zend.To versions 6.10-6 Beta and earlier

Description A critical vulnerability has been found in Zend.To, affecting the function exec of the file NSSDropoff.php. The manipulation of the argument file 1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This issue affects a rather old version of the software. The vendor recommends updating to the latest release.

Recommendations To address this issue, upgrade to version 6.10-7 or later. As a temporary workaround, consider disabling the exec function in the NSSDropoff.php file until a patch is available. Restrict access to the vulnerable file to minimize the risk of exploitation. Avoid using the file 1 argument in the affected function until the issue is resolved.