How to fix CVE-2025-14106?

Within 24 hours: Identify and inventory all ZSPACE Q2C NAS systems in your environment and confirm version numbers; immediately isolate affected devices from production networks if possible or restrict HTTP POST access to the /v2/file/safe/close endpoint to trusted IP ranges only. Within 7 days: Implement network segmentation and WAF rules to block malicious payloads targeting the vulnerable endpoint; contact ZSPACE vendor for patch timeline and interim guidance; establish 24/7 monitoring for exploitation attempts. Within 30 days: Apply vendor patch immediately upon release; conduct forensic analysis of affected systems for signs of compromise; review access logs for suspicious activity dating back 90 days.

Is Command Injection affected by CVE-2025-14106?

A critical remote command injection vulnerability exists in ZSPACE Q2C NAS systems (versions up to 1.1.0210050) that allows unauthenticated attackers to execute arbitrary commands.

CVE-2025-14106

EUVD-2025-201502 HIGH

2025-12-05 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201502

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

Description

A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

Affected Products

Affected products: Zspace Q2C Nas Firmware

Remediation

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.6

CVSS: +44

POC: +20

CVE-2025-14106 vulnerability details – vuln.today

Back

CVE-2025-14106

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14106

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code