CVE-2025-5952 is a security vulnerability identified in Zend.To versions up to 6.10-6 Beta. The flaw resides in the NSSDropoff.php file, specifically in the exec function, where the argument file_1 can be manipulated by an attacker to perform OS command injection. This type of vulnerability allows an attacker to execute arbitrary operating system commands on the server hosting the vulnerable Zend.To instance. The vulnerability can be exploited remotely without requiring any authentication or user interaction, increasing the risk of widespread exploitation. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting a network attack vector with low complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant compromise depending on the commands executed. The vulnerability affects an older beta version of Zend.To, a file transfer web application used for secure file sharing. The vendor has released version 6.10-7 to address this issue and further strengthened countermeasures in version 6.15-8. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of future attacks. The vulnerability’s root cause is insufficient input validation and sanitization of the file_1 parameter before passing it to the exec function, enabling injection of malicious shell commands. This can lead to unauthorized command execution, potentially allowing attackers to gain control over the server, access sensitive data, or disrupt service availability.

For European organizations using Zend.To, especially those running the affected 6.10-6 Beta version, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized remote code execution, resulting in data breaches, service disruption, or lateral movement within the network. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) could face compliance violations and reputational damage. The ability to execute OS commands remotely without authentication makes this vulnerability particularly dangerous for public-facing instances. The impact is heightened for sectors relying on secure file transfers such as government agencies, financial institutions, healthcare providers, and critical infrastructure operators. Additionally, compromised servers could be leveraged as pivot points for broader attacks or malware deployment. Although no active exploits are reported yet, the public availability of exploit details necessitates urgent remediation to prevent potential targeted attacks against European entities.

1. Immediate upgrade of Zend.To installations from version 6.10-6 Beta to at least version 6.10-7, or preferably to the latest stable release (6.15-8 or newer) which includes additional security enhancements. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially those passed to system-level commands. 3. Restrict execution privileges of the web server process to the minimum necessary, employing the principle of least privilege to limit the impact of any command injection. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns targeting the file_1 parameter. 5. Monitor logs for unusual command execution attempts or anomalies in the NSSDropoff.php access patterns. 6. Conduct regular security assessments and penetration tests focusing on injection vulnerabilities in web applications. 7. Isolate Zend.To servers within segmented network zones to reduce lateral movement risk in case of compromise. 8. Educate administrators on timely patch management and vulnerability disclosure monitoring to ensure rapid response to emerging threats.