CVE-2025-5952

A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release. Additional countermeasures have been added in 6.15-8.

CVSS v3 7.3 HIGH
CVSS v2.0 7.5 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://matheuscezar.github.io/2025/05/24/0-day-in-zend-to.html
https://vuldb.com/?ctiid.311789
https://vuldb.com/?id.311789
https://vuldb.com/?submit.589178

Configurations

No configuration.

History

10 Jun 2025, 16:15

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad clasificada como crítica en Zend.To hasta la versión 6.10-6 Beta. Este problema afecta a la función exec del archivo NSSDropoff.php. La manipulación del argumento file_1 provoca la inyección de comandos del sistema operativo. El ataque puede iniciarse en remoto. Se ha hecho público el exploit y puede que sea utilizado. Actualizar a la versión 6.10-7 puede solucionar este problema. Se recomienda actualizar el componente afectado. Esto afecta a una versión bastante antigua del software. El proveedor recomienda actualizar a la última versión.
Summary	(en) A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release.	(en) A vulnerability, which was classified as critical, has been found in Zend.To up to 6.10-6 Beta. This issue affects the function exec of the file NSSDropoff.php. The manipulation of the argument file_1 leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.10-7 is able to address this issue. It is recommended to upgrade the affected component. This affects a rather old version of the software. The vendor recommends updating to the latest release. Additional countermeasures have been added in 6.15-8.

10 Jun 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 05:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-5952

Mitre link : CVE-2025-5952

CVE.ORG link : CVE-2025-5952

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.3 /10