ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection

A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Problem type

Affected products

ZSPACE

Z4Pro+

1.0.0440024 - AFFECTED

References

VDB-338510 | ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection

https://vuldb.com/?id.338510

vdb-entrytechnical-description

VDB-338510 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338510

signaturepermissions-required

Submit #713885 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection

https://vuldb.com/?submit.713885

third-party-advisory

github.com

https://github.com/LX-66-LX/cve/issues/2

exploitissue-tracking

GitHub Security Advisories

GHSA-v2w5-94qr-4c5g

A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function...

https://github.com/advisories/GHSA-v2w5-94qr-4c5g

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15132

github.com

https://github.com/LX-66-LX/cve/issues/2

vuldb.com

https://vuldb.com/?ctiid.338510

vuldb.com

https://vuldb.com/?id.338510

vuldb.com

https://vuldb.com/?submit.713885

github.com

https://github.com/advisories/GHSA-v2w5-94qr-4c5g

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15132

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15132",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-28T10:32:05.208Z",
    "dateReserved": "2025-12-27T09:36:47.274Z",
    "datePublished": "2025-12-28T10:32:05.208Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-28T10:32:05.208Z"
      },
      "title": "ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."
        }
      ],
      "affected": [
        {
          "vendor": "ZSPACE",
          "product": "Z4Pro+",
          "modules": [
            "HTTP POST Request Handler"
          ],
          "versions": [
            {
              "version": "1.0.0440024",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Command Injection",
              "cweId": "CWE-77",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Injection",
              "cweId": "CWE-74",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338510",
          "name": "VDB-338510 | ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338510",
          "name": "VDB-338510 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.713885",
          "name": "Submit #713885 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/LX-66-LX/cve/issues/2",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-27T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-27T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-27T10:41:57.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LX-66-LX (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}