CVE-2025-15131

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZSPACE Z4Pro+ version 1.0.0440024

Description A command injection issue exists in ZSPACE Z4Pro+. The issue is located within the HTTP POST Request Handler component, specifically in the zfilev2 api SafeStatus function accessible via the /v2/file/safe/status API endpoint. Remote attackers can exploit this to execute arbitrary commands. The exploit has been publicly released.

Recommendations Versions prior to 1.0.0440024 should be upgraded. As a temporary workaround, consider disabling the zfilev2 api SafeStatus function until a patch is available. Restrict access to the /v2/file/safe/status API endpoint to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

CVE-2025-15131

Affected Products

Zspace Z4Pro+

CVE-2025-15131

Weakness Enumeration

Related Identifiers

Affected Products

References · 10