How to fix CVE-2025-14108?

Within 24 hours: Inventory all ZSPACE Q2C NAS deployments and document affected versions; isolate systems from untrusted networks if operationally feasible; restrict HTTP POST access to the /v2/file/safe/open endpoint to authorized users only. Within 7 days: Implement network segmentation to limit lateral movement if compromise occurs; enable enhanced logging and monitoring on affected systems; establish incident response procedures specific to command injection attacks. Within 30 days: Contact vendor for patch availability timeline; evaluate alternative storage solutions if patch timeline is unacceptable; conduct vulnerability assessment of dependent systems that connect to affected NAS devices.

Is Command Injection affected by CVE-2025-14108?

ZSPACE Q2C NAS systems running version 1.1.0210050 and earlier are vulnerable to remote command injection through a publicly disclosed exploit with no available patch.

CVE-2025-14108

EUVD-2025-201501 HIGH

2025-12-05 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201501

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

Description

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

Affected Products

Affected products: Zspace Q2C Nas Firmware

Remediation

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +44

POC: +20

CVE-2025-14108 vulnerability details – vuln.today

Back

CVE-2025-14108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code