CVE-2025-64126 is an OS command injection vulnerability identified in the Zenitel TCIV-3+ intercom system. The root cause is improper input validation in the application layer, where a parameter intended to be an IP address is accepted directly from user input without verification or sanitization. This lack of validation allows attackers to inject arbitrary operating system commands by embedding malicious characters or command sequences within the input parameter. Since the vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, it poses a severe risk. The CVSS v3.1 base score is 10.0, indicating critical severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and scope changed (S:C), impacting confidentiality, integrity, and availability at a high level (C:H/I:H/A:H). The vulnerability affects all versions indicated as '0' (likely meaning all current versions or an unspecified range) of the TCIV-3+ product. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by ICS-CERT. This type of vulnerability could allow attackers to take full control of affected devices, disrupt communications, or pivot into internal networks. Given the role of Zenitel TCIV-3+ in critical communication systems, exploitation could have severe operational impacts.

For European organizations, the impact of this vulnerability is significant. Zenitel TCIV-3+ devices are commonly deployed in critical infrastructure sectors such as transportation, public safety, and industrial facilities. Successful exploitation could lead to full system compromise, allowing attackers to execute arbitrary commands, disrupt intercom and communication services, and potentially use the device as a foothold for lateral movement within enterprise networks. This threatens operational continuity, safety, and data confidentiality. The criticality is heightened in environments where these devices are integrated into security or emergency response systems. Additionally, the vulnerability’s unauthenticated remote exploitability increases the risk of widespread attacks, including ransomware or espionage campaigns targeting European critical infrastructure. The lack of current patches means organizations must rely on network-level mitigations and monitoring until vendor fixes are released.

1. Immediately restrict network access to Zenitel TCIV-3+ devices by implementing strict firewall rules and network segmentation to limit exposure to untrusted networks. 2. Monitor network traffic for unusual or malformed input targeting the vulnerable parameter, using IDS/IPS systems with custom signatures if possible. 3. Employ application-layer filtering or proxy solutions to validate and sanitize inputs before they reach the device. 4. Engage with Zenitel support to obtain timelines for patches or firmware updates addressing the vulnerability and apply them promptly once available. 5. Conduct thorough audits of all Zenitel TCIV-3+ deployments to identify exposed devices and ensure they are not accessible from the internet or untrusted networks. 6. Implement strict access control policies and multi-factor authentication for management interfaces to reduce risk of unauthorized access. 7. Prepare incident response plans specific to potential exploitation scenarios involving these devices. 8. Consider temporary device replacement or disabling vulnerable features if patching is delayed and risk is unacceptable.