CVE-2025-14107

Name of the Vulnerable Software and Affected Versions ZSPACE Q2C NAS versions through 1.1.0210050

Description A security flaw exists in ZSPACE Q2C NAS that allows for remote command injection. The issue is located within the zfilev2 api.SafeStatus function of the HTTP POST Request Handler component, specifically through the /v2/file/safe/status endpoint. Manipulation of the safe dir argument can lead to command injection. The exploit has been publicly released.

Recommendations Versions prior to 1.1.0210050 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.