CVE-2025-64091 is a command injection vulnerability found in the Zenitel TCIS-3+ device, specifically exploitable through the Network Time Protocol (NTP) configuration interface. The vulnerability requires an attacker to be authenticated but does not require elevated privileges or user interaction, which lowers the barrier for exploitation within an internal or semi-trusted network environment. By manipulating the NTP configuration, an attacker can execute arbitrary commands on the device, potentially leading to unauthorized access to sensitive information or further lateral movement within the network. The vulnerability affects all versions of TCIS-3+ prior to 9.2.3.3. The CVSS 3.1 score of 8.6 reflects a high severity due to the network attack vector, low attack complexity, and the complete compromise of confidentiality. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to organizations relying on these devices for secure communication, especially in industrial or critical infrastructure sectors. The scope of impact is considerable given the strategic use of Zenitel devices in secure communication environments. The lack of integrity and availability impact suggests the primary concern is data confidentiality and potential unauthorized command execution.

For European organizations, this vulnerability could lead to unauthorized command execution on critical communication devices, potentially exposing sensitive operational data or enabling attackers to pivot within internal networks. Given Zenitel TCIS-3+ devices are often deployed in industrial, transportation, and critical infrastructure sectors, exploitation could undermine operational security and confidentiality. The breach of communication devices may disrupt secure voice or data transmissions, impacting incident response and operational coordination. Confidentiality loss could expose sensitive organizational or personal data, leading to regulatory and reputational damage under GDPR and other data protection laws. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. The vulnerability's network accessibility and low complexity increase the risk in environments where authentication controls are weak or compromised. Organizations with remote or distributed deployments of TCIS-3+ devices are particularly at risk, as attackers could exploit the vulnerability from less secure network segments.

1. Immediately upgrade all Zenitel TCIS-3+ devices to version 9.2.3.3 or later once the patch is available from the vendor. 2. Restrict access to the NTP configuration interface using network segmentation and firewall rules, limiting it to trusted administrators only. 3. Enforce strong authentication mechanisms and regularly audit user accounts with access to the device management interfaces. 4. Monitor device logs and network traffic for unusual NTP configuration changes or command execution attempts. 5. Implement network intrusion detection systems (NIDS) with signatures or heuristics to detect anomalous command injection patterns targeting TCIS-3+. 6. Conduct regular vulnerability assessments and penetration tests focusing on communication devices to identify and remediate similar issues proactively. 7. Establish incident response plans specific to communication device compromise scenarios to minimize impact. 8. Coordinate with Zenitel support for timely updates and security advisories.