| Title | ZSPACE Z4Pro+ v1.0.0440024 Command Injection |
|---|
| Description | A binary vulnerability exists in the ZSPACE Z4pro+ NAS device (Firmware v1.0.0440024), leading to Remote Command Execution (RCE). A remote attacker can send a specially crafted POST request to the /v2/file/safe/close interface to inject and execute arbitrary malicious commands on the remote target device. This allows the attacker to gain the highest ROOT privileges and completely control the victim's NAS device. |
|---|
| Source | ⚠️ https://github.com/LX-66-LX/cve/issues/3 |
|---|
| User | LX-66-LX (UID 92717) |
|---|
| Submission | 12/12/2025 07:14 (4 months ago) |
|---|
| Moderation | 12/27/2025 10:36 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338511 [ZSPACE Z4Pro+ 1.0.0440024 HTTP POST Request /v2/file/safe/close zfilev2_api_CloseSafe command injection] |
|---|
| Points | 19 |
|---|