- **Title**: ZSPACE Z4Pro+ v1.0.0440024 Command Injection - **Description**: A binary vulnerability exists in the ZSPACE Z4pro+ NAS device (Firmware v1.0.0440024), leading to Remote Command Execution (RCE). A remote attacker can send a specially crafted POST request to the `/v2/file/safe/close` interface to inject and execute arbitrary malicious commands on the remote target device. This allows the attacker to gain the highest ROOT privileges and completely control the victim's NAS device. - **Source**: https://github.com/LX-66-LX/cve/issues/3 - **User**: LX-66-LX (UID 92717) - **Submission Date**: 12/12/2025 07:14 AM - **Moderation Date**: 12/27/2025 10:36 AM - **Status**: Accepted - **VulDB Entry**: 338511 [ZSPACE Z4Pro+ 1.0.0440024 HTTP POST Request /v2/file/safe/close zfilev2_api_CloseSafe command injection] - **Points**: 19