What is the CVSS score of CVE-2025-14106?

CVE-2025-14106 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Q2c Nas Firmware are affected by CVE-2025-14106?

A critical remote command injection vulnerability exists in ZSPACE Q2C NAS systems (versions up to 1.1.0210050) that allows unauthenticated attackers to execute arbitrary commands.

Is there a public PoC exploit available for CVE-2025-14106?

Yes, a public proof-of-concept exploit is available for CVE-2025-14106. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2025-14106?

Within 24 hours: Identify and inventory all ZSPACE Q2C NAS systems in your environment and confirm version numbers; immediately isolate affected devices from production networks if possible or restrict HTTP POST access to the /v2/file/safe/close endpoint to trusted IP ranges only. Within 7 days: Implement network segmentation and WAF rules to block malicious payloads targeting the vulnerable endpoint; contact ZSPACE vendor for patch timeline and interim guidance; establish 24/7 monitoring for exploitation attempts. Within 30 days: Apply vendor patch immediately upon release; conduct forensic analysis of affected systems for signs of compromise; review access logs for suspicious activity dating back 90 days.

Q2c Nas Firmware CVE-2025-14106

EUVD-2025-201502 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-05 cna@vuldb.com

Command Injection Q2c Nas Firmware

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201502

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

DescriptionCVE.org

A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

CVE-2025-14106 vulnerability details – vuln.today

Back

Q2c Nas Firmware CVE-2025-14106

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code