OS Command Injection Vulnerability in Zend.To by Zend Technologies
CVE-2025-5952
Key Information:
- Vendor
Zend Technologies
- Status
- Vendor
- CVE Published:
- 10 June 2025
Badges
What is CVE-2025-5952?
A vulnerability exists in Zend.To versions prior to 6.10-7 Beta that permits attackers to execute arbitrary OS commands through the manipulation of the 'file_1' argument in the NSSDropoff.php file. This flaw, which can be exploited remotely, allows unauthorized users to inject malicious commands, potentially compromising the system's integrity. It is highly recommended to update to the latest version to mitigate the risk associated with this vulnerability.
Affected Version(s)
Zend.To 6.10-6 Beta
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved