How to fix CVE-2025-14107?

Within 24 hours: Inventory all ZSPACE Q2C NAS deployments and confirm versions; isolate affected devices from untrusted networks and restrict HTTP POST access to the /v2/file/safe/status endpoint. Within 7 days: Implement network segmentation to limit NAS access to authorized users only; deploy WAF rules to block malicious safe_dir parameter payloads; disable the zfilev2_api.SafeStatus feature if operationally feasible. Within 30 days: Monitor vendor communications for patch release; schedule immediate patching upon availability; conduct security assessment of NAS systems for evidence of exploitation.

Is Command Injection affected by CVE-2025-14107?

ZSPACE Q2C NAS devices running version 1.1.0210050 and earlier are vulnerable to remote command injection through the file API endpoint, with public exploits already available.

CVE-2025-14107

EUVD-2025-201503 HIGH

2025-12-05 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201503

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

Description

A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

Affected Products

Affected products: Zspace Q2C Nas Firmware

Remediation

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.8

CVSS: +44

POC: +20

CVE-2025-14107 vulnerability details – vuln.today

Back

CVE-2025-14107

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14107

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code