CVE-2025-14108

HighPublic PoCRCE

Published: 05 December 2025

Published

05 December 2025

Modified

16 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0122 79.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14108 is a high-severity Injection (CWE-74) vulnerability in Zspace Q2C Nas Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by validating and sanitizing the safe_dir argument in the vulnerable HTTP POST endpoint.

SI-2 Flaw Remediation good match

prevent

Ensures timely installation of the vendor's planned patch to remediate the specific command injection flaw.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls can inspect and block malicious HTTP requests exploiting the safe_dir injection.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in web API enables arbitrary remote command execution by low-priv authenticated users, facilitating exploitation of remote services (T1210), privilege escalation (T1068), and Unix shell command execution (T1059.004) on the NAS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection.…

It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Deeper analysisAI

CVE-2025-14108 is a command injection vulnerability affecting ZSPACE Q2C NAS versions up to 1.1.0210050. The issue resides in the zfilev2_api.OpenSafe function, exposed via the /v2/file/safe/open endpoint in the HTTP POST Request Handler component. By manipulating the safe_dir argument, an attacker can inject arbitrary commands, as classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows full compromise, granting high impacts on confidentiality, integrity, and availability, such as executing arbitrary system commands on the NAS device. A public exploit is available, increasing the risk of widespread abuse.

VulDB advisories (e.g., ctiid.334490, id.334490) detail the issue, noting that the vendor was notified early, confirmed the vulnerability, and plans to release a technical fix. No specific patch version or immediate workaround is mentioned in the provided references. Security practitioners should monitor for updates from ZSPACE and restrict access to the affected endpoint where possible. The exploit's public availability heightens the urgency for affected systems.

Details

CWE(s): CWE-74 CWE-77

Affected Products

zspace

q2c nas firmware

≤ 1.1.0210050

CVEs Like This One

CVE-2025-14106Same product: Zspace Q2C Nas

CVE-2025-14107Same product: Zspace Q2C Nas

CVE-2025-15132Same vendor: Zspace

CVE-2025-15133Same vendor: Zspace

CVE-2025-15131Same vendor: Zspace

CVE-2025-2727Shared CWE-74, CWE-77

CVE-2025-2729Shared CWE-74, CWE-77

CVE-2025-2731Shared CWE-74, CWE-77

CVE-2026-7067Shared CWE-74, CWE-77

CVE-2025-2725Shared CWE-74, CWE-77

References

https://vuldb.com/?ctiid.334490
VDB Entry · cna@vuldb.com
https://vuldb.com/?id.334490
VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.697144
VDB Entry · cna@vuldb.com
https://www.notion.so/2af6cf4e528a80258f60fa529c48d291
Exploit, Third Party Advisory · cna@vuldb.com