EUVD-2025-17626

| CVE-2025-5952 HIGH
2025-06-10 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17626
CVE Published
Jun 10, 2025 - 05:15 nvd
HIGH 7.3

Tags

PHP Command Injection RCE

Description

A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release. Additional countermeasures have been added in 6.15-8.

Analysis

A critical OS command injection vulnerability exists in Zend.To versions up to 6.10-6 Beta, where unsanitized user input in the 'file_1' parameter of NSSDropoff.php's exec function allows remote, unauthenticated attackers to execute arbitrary system commands with application-level privileges. The vulnerability has been publicly disclosed with working exploits available, making active exploitation probable, though it affects an older software version that has been superseded by newer releases with additional security controls.

Technical Context

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw occurring in the NSSDropoff.php file's exec function. Zend.To is a secure file transfer and drop-off solution typically deployed in enterprise environments. The root cause stems from insufficient input validation/sanitization on the 'file_1' parameter before it is passed to OS-level command execution functions (likely shell_exec, exec, or system in PHP). The affected product CPE would be approximately 'cpe:2.3:a:zend:zend.to:*:*:*:*:*:*:*:*' with versions 6.10-6 and earlier in the 6.x branch. The vulnerability is particularly dangerous because the exec function in PHP, when improperly used, directly invokes the operating system shell without proper escaping, allowing shell metacharacters and command separators to break out of intended command boundaries.

Affected Products

Zend.To (6.10-6 Beta and all earlier versions in the 6.x branch)

Remediation

- action: Immediate Patch; details: Upgrade Zend.To to version 6.10-7 or later. Version 6.15-8 includes additional countermeasures and is recommended as the target release.; priority: Critical - action: Input Validation; details: If immediate patching is not feasible, implement strict input validation on the 'file_1' parameter. Whitelist only alphanumeric characters and safe file path characters; reject any special shell characters (|, ;, &, $, `, >, <, etc.). - action: Network Segmentation; details: Restrict network access to Zend.To instances to trusted internal IP ranges only. Do not expose NSSDropoff.php endpoints directly to the internet without authentication. - action: Web Application Firewall (WAF); details: Deploy WAF rules to detect and block payloads in the 'file_1' parameter containing shell metacharacters or command separators (e.g., 'file_1=*;whoami' patterns). - action: Monitoring; details: Enable application and system logging to detect suspicious command execution patterns in NSSDropoff.php access logs and OS process logs.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +36
POC: 0

Share

EUVD-2025-17626 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy