What is the CVSS score of CVE-2025-14107?

CVE-2025-14107 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.8%.

Which versions of Q2c Nas Firmware are affected by CVE-2025-14107?

ZSPACE Q2C NAS devices running version 1.1.0210050 and earlier are vulnerable to remote command injection through the file API endpoint, with public exploits already available.

Is there a public PoC exploit available for CVE-2025-14107?

Yes, a public proof-of-concept exploit is available for CVE-2025-14107. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate CVE-2025-14107?

Within 24 hours: Inventory all ZSPACE Q2C NAS deployments and confirm versions; isolate affected devices from untrusted networks and restrict HTTP POST access to the /v2/file/safe/status endpoint. Within 7 days: Implement network segmentation to limit NAS access to authorized users only; deploy WAF rules to block malicious safe_dir parameter payloads; disable the zfilev2_api.SafeStatus feature if operationally feasible. Within 30 days: Monitor vendor communications for patch release; schedule immediate patching upon availability; conduct security assessment of NAS systems for evidence of exploitation.

Q2c Nas Firmware CVE-2025-14107

EUVD-2025-201503 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-05 cna@vuldb.com

Command Injection Q2c Nas Firmware

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201503

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

DescriptionCVE.org

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

CVE-2025-14107 vulnerability details – vuln.today

Back

Q2c Nas Firmware CVE-2025-14107

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code