What is the CVSS score of EUVD-2025-201501?

EUVD-2025-201501 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Q2c Nas Firmware are affected by EUVD-2025-201501?

ZSPACE Q2C NAS systems running version 1.1.0210050 and earlier are vulnerable to remote command injection through a publicly disclosed exploit with no available patch.

Is there a public PoC exploit available for EUVD-2025-201501?

Yes, a public proof-of-concept exploit is available for EUVD-2025-201501. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate EUVD-2025-201501?

Within 24 hours: Inventory all ZSPACE Q2C NAS deployments and document affected versions; isolate systems from untrusted networks if operationally feasible; restrict HTTP POST access to the /v2/file/safe/open endpoint to authorized users only. Within 7 days: Implement network segmentation to limit lateral movement if compromise occurs; enable enhanced logging and monitoring on affected systems; establish incident response procedures specific to command injection attacks. Within 30 days: Contact vendor for patch availability timeline; evaluate alternative storage solutions if patch timeline is unacceptable; conduct vulnerability assessment of dependent systems that connect to affected NAS devices.

Q2c Nas Firmware EUVD-2025-201501

| CVE-2025-14108 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-05 cna@vuldb.com

Command Injection Q2c Nas Firmware

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201501

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

PoC Detected

Dec 16, 2025 - 08:15 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 22:15 nvd

HIGH 8.8

DescriptionCVE.org

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

EUVD-2025-201501 vulnerability details – vuln.today

Back

Q2c Nas Firmware EUVD-2025-201501

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code