CVE-2025-59816 is a high-severity SQL Injection vulnerability (CWE-89) affecting the Zenitel ICX500 product versions prior to 1.4.3.3. This vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with low privileges and network access (attack vector: adjacent network) to inject malicious SQL queries directly into the Billing Admin database. Exploitation does not require user interaction but does require some level of privileges (PR:L). The vulnerability enables attackers to retrieve sensitive data stored in the database, including user credentials. Critically, user passwords are stored in plaintext, which significantly amplifies the risk of credential compromise and subsequent unauthorized access. The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS 3.1 base score is 7.3, reflecting a high severity due to the ease of exploitation (low complexity), the high impact on confidentiality and integrity, and the lack of required user interaction. No known exploits are currently reported in the wild. The vulnerability was published on September 25, 2025, and is assigned by NCSC-NL. No patches or fixes have been linked yet, indicating that affected organizations must prioritize mitigation and monitoring efforts. The ICX500 is a communication system product, likely used in enterprise or critical infrastructure environments, making the exposure of billing and credential data particularly sensitive.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive billing and user credential data within the Zenitel ICX500 systems. The exposure of plaintext passwords can lead to credential theft, lateral movement, and escalation of privileges within affected networks. Organizations relying on ICX500 for communication and billing management may face data breaches, regulatory non-compliance (e.g., GDPR violations due to exposure of personal data), and reputational damage. The integrity of billing data could be compromised, potentially leading to financial discrepancies or fraud. Since the vulnerability requires low privileges but network adjacency, attackers within the internal network or connected segments could exploit it, increasing the risk from insider threats or compromised internal hosts. The lack of availability impact means service disruption is unlikely, but the confidentiality breach alone is critical. European organizations in sectors such as telecommunications, critical infrastructure, and enterprises using Zenitel products are particularly at risk.

1. Immediate mitigation should include network segmentation to restrict access to the ICX500 Billing Admin interface only to trusted and authenticated users and systems, minimizing the attack surface. 2. Implement strict access controls and monitor for unusual query patterns or database access attempts indicative of SQL injection exploitation. 3. Since no patch is currently available, consider deploying Web Application Firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) with rules targeting SQL injection attempts specific to the ICX500 environment. 4. Enforce strong password policies and transition away from plaintext password storage by applying encryption or hashing mechanisms as soon as a patch or update is available. 5. Conduct thorough audits of user credentials and rotate passwords immediately to limit the impact of potential credential exposure. 6. Monitor vendor communications closely for patch releases and apply updates promptly once available. 7. Educate internal IT and security teams about this vulnerability to ensure rapid detection and response to any suspicious activity related to the ICX500 systems.