CVE-2025-15133 identifies a command injection vulnerability in the ZSPACE Z4Pro+ version 1.0.0440024, specifically within the HTTP POST request handler function zfilev2_api_CloseSafe located at the /v2/file/safe/close endpoint. The vulnerability allows an attacker to remotely inject and execute arbitrary system commands by manipulating input parameters sent to this API endpoint. The flaw stems from insufficient input validation or sanitization, enabling the attacker to craft malicious payloads that the system executes at the OS level. Notably, the attack requires no authentication or user interaction, increasing the risk of exploitation. The CVSS 4.0 score is 5.3 (medium), reflecting the network attack vector, low complexity, and no required privileges or user interaction, but limited impact on confidentiality, integrity, and availability. The vendor was notified early, but no patch links are currently available, and no active exploitation in the wild has been reported. The availability of a public exploit increases the urgency for mitigation. This vulnerability could allow attackers to gain unauthorized control over the device, potentially leading to data breaches, device manipulation, or denial of service.

For European organizations, the impact of CVE-2025-15133 could be significant, especially for those deploying ZSPACE Z4Pro+ devices in critical environments such as education, design, healthcare, or industrial applications where AR/VR technologies are used. Successful exploitation could lead to unauthorized command execution, resulting in data leakage, system compromise, or disruption of services. Given the device’s role in immersive computing, attackers might manipulate outputs or inputs, affecting operational integrity. The remote and unauthenticated nature of the vulnerability increases the risk of widespread exploitation if devices are exposed to untrusted networks. Additionally, the lack of patches at present means organizations must rely on interim mitigations, increasing operational risk. The medium severity score suggests a moderate but non-negligible threat, particularly if attackers combine this vulnerability with other weaknesses to escalate their impact.

1. Immediately restrict network access to ZSPACE Z4Pro+ devices by implementing network segmentation and firewall rules that limit inbound connections to trusted management networks only. 2. Monitor network traffic and device logs for unusual POST requests to the /v2/file/safe/close endpoint or other suspicious activity indicative of command injection attempts. 3. Disable or restrict the vulnerable API endpoint if possible via device configuration until a vendor patch is released. 4. Engage with ZSPACE support to obtain timelines for official patches and apply them promptly once available. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection patterns targeting this device. 6. Conduct regular security assessments and penetration tests focusing on AR/VR device infrastructure to identify and remediate similar vulnerabilities. 7. Educate IT and security teams about this vulnerability to ensure rapid response and containment in case of exploitation attempts.