CVE-2025-14108

Name of the Vulnerable Software and Affected Versions ZSPACE Q2C NAS versions up to 1.1.0210050

Description A weakness exists in ZSPACE Q2C NAS that allows for remote command injection. The issue is related to the zfilev2 api.OpenSafe function within the HTTP POST Request Handler component, specifically in the file /v2/file/safe/open. Manipulation of the safe dir argument can lead to command injection. A public exploit is available. The vendor was notified but did not respond.

Recommendations Versions prior to 1.1.0210050 should be updated. As a temporary workaround, consider restricting access to the /v2/file/safe/open API endpoint. Avoid using the safe dir parameter in the affected API endpoint until the issue is resolved.