EUVD-2025-17626CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release. Additional countermeasures have been added in 6.15-8.
Analysis
A critical OS command injection vulnerability exists in Zend.To versions up to 6.10-6 Beta, where unsanitized user input in the 'file_1' parameter of NSSDropoff.php's exec function allows remote, unauthenticated attackers to execute arbitrary system commands with application-level privileges. The vulnerability has been publicly disclosed with working exploits available, making active exploitation probable, though it affects an older software version that has been superseded by newer releases with additional security controls.
Technical Context
The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw occurring in the NSSDropoff.php file's exec function. Zend.To is a secure file transfer and drop-off solution typically deployed in enterprise environments. The root cause stems from insufficient input validation/sanitization on the 'file_1' parameter before it is passed to OS-level command execution functions (likely shell_exec, exec, or system in PHP). The affected product CPE would be approximately 'cpe:2.3:a:zend:zend.to:*:*:*:*:*:*:*:*' with versions 6.10-6 and earlier in the 6.x branch. The vulnerability is particularly dangerous because the exec function in PHP, when improperly used, directly invokes the operating system shell without proper escaping, allowing shell metacharacters and command separators to break out of intended command boundaries.
Affected Products
Zend.To (6.10-6 Beta and all earlier versions in the 6.x branch)
Remediation
- action: Immediate Patch; details: Upgrade Zend.To to version 6.10-7 or later. Version 6.15-8 includes additional countermeasures and is recommended as the target release.; priority: Critical - action: Input Validation; details: If immediate patching is not feasible, implement strict input validation on the 'file_1' parameter. Whitelist only alphanumeric characters and safe file path characters; reject any special shell characters (|, ;, &, $, `, >, <, etc.). - action: Network Segmentation; details: Restrict network access to Zend.To instances to trusted internal IP ranges only. Do not expose NSSDropoff.php endpoints directly to the internet without authentication. - action: Web Application Firewall (WAF); details: Deploy WAF rules to detect and block payloads in the 'file_1' parameter containing shell metacharacters or command separators (e.g., 'file_1=*;whoami' patterns). - action: Monitoring; details: Enable application and system logging to detect suspicious command execution patterns in NSSDropoff.php access logs and OS process logs.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today