URGENT PATCH REQUIRED: Zenitel TCIV-3+ Intercoms Hit by Multiple Critical Flaws (CVSS 9.8)
Do Son 
Zenitel has issued an urgent security advisory, also reported by CISA, concerning a set of critical vulnerabilities in its TCIV-3+ intercom station. The advisory details five distinct security flaws, three of which are rated with the maximum severity CVSS v3 base score of 9.8.
The vulnerabilities affect all versions of TCIV-3+ prior to 9.3.3.0. Successful exploitation of these flaws “could result in arbitrary code execution or cause a denial-of-service condition.”
The most severe threats are three separate instances of OS Command Injection (CVE-2025-64126, CVE-2025-64127, and CVE-2025-64128), all scoring a CVSS of 9.8.
These vulnerabilities stem from improper or insufficient validation of user-supplied input:
- CVE-2025-64126: Exists because the application “accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters”. This “could allow an unauthenticated attacker to inject arbitrary commands.”
- CVE-2025-64127: Caused by “insufficient sanitization of user-supplied input” , where parameters are later “incorporated into OS commands without adequate validation”. This “could allow an unauthenticated attacker to execute arbitrary commands remotely.”
- CVE-2025-64128: Due to “incomplete validation of user-supplied input” , which “could permit attackers to append arbitrary data” and “inject arbitrary commands.”
The advisory also details two other high-impact vulnerabilities:
- Cross-Site Scripting (XSS) (CVE-2025-64130): This reflected XSS flaw is also rated at a CVSS of 9.8. It “could allow a remote attacker to execute arbitrary JavaScript on the victim’s browser.”
- Out-of-Bounds Write (CVE-2025-64129): Rated at CVSS 7.6 , this vulnerability “could allow a remote attacker to crash the device.”
Zenitel recommends users to “upgrade to Version 9.3.3.0 or later”. Given the potential for unauthenticated remote code execution (CVSS 9.8), patching is essential for maintaining the security and availability of these critical communication devices.
Related Posts:
- API Security in 2025: Top Best Practices Every Security Team Must Know
- Critical Flaw (CVSS 9.8) in Ubiquiti UniFi Access Devices Allows RCE
- CISA Alert: Critical Vulnerabilities Found in CyberData SIP Emergency Intercom Devices
- WordPress Releases Urgent Security Patch – Update Immediately!
- Urgent Security Alert: CISA Warns of Actively Exploited Apple and Microsoft Vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
