| Title | ZSPACE Z4Pro+ v1.0.0440024 Command Injection |
|---|
| Description | [cite_start]A binary vulnerability exists in the ZSPACE Z4pro+ NAS device (Firmware v1.0.0440024), leading to Remote Command Execution (RCE)[cite: 4, 10]. [cite_start]A remote attacker can send a specially crafted POST request to the /v2/file/safe/open interface to inject and execute arbitrary malicious commands on the remote target device[cite: 11]. [cite_start]This allows the attacker to gain the highest ROOT privileges and completely control the victim's NAS device[cite: 12]. |
|---|
| Source | ⚠️ https://github.com/LX-66-LX/cve/issues/2 |
|---|
| User | LX-66-LX (UID 92717) |
|---|
| Submission | 12/12/2025 07:06 (4 months ago) |
|---|
| Moderation | 12/27/2025 10:36 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338510 [ZSPACE Z4Pro+ 1.0.0440024 HTTP POST Request /v2/file/safe/open zfilev2_api_open command injection] |
|---|
| Points | 20 |
|---|