CVE-2025-64130 identifies a reflected cross-site scripting (CWE-79) vulnerability in the Zenitel TCIV-3+ intercom system. Reflected XSS occurs when untrusted input is immediately returned in HTTP responses without proper sanitization or encoding, allowing attackers to inject malicious JavaScript code. This vulnerability enables remote attackers to craft malicious URLs or HTTP requests that, when visited by a victim, execute arbitrary scripts in the victim’s browser context. The flaw requires no authentication or user interaction, increasing its exploitation potential. The CVSS 3.1 base score of 9.8 reflects the vulnerability's critical nature, with attack vector being network-based, low attack complexity, no privileges or user interaction needed, and full impact on confidentiality, integrity, and availability. Exploitation could lead to theft of authentication tokens, unauthorized actions on behalf of the user, or pivoting into internal networks. Zenitel TCIV-3+ is commonly deployed in communication and security systems, often integrated into critical infrastructure environments. Although no public exploits are reported yet, the high severity and ease of exploitation warrant immediate attention. The absence of available patches at the time of disclosure emphasizes the need for interim mitigations such as network segmentation and input filtering.

For European organizations, this vulnerability poses a severe risk, particularly for entities relying on Zenitel TCIV-3+ devices in critical infrastructure sectors such as transportation, public safety, and industrial control systems. Exploitation could compromise sensitive communications, enable unauthorized access to control systems, and facilitate lateral movement within networks. The critical severity indicates potential full compromise of affected systems, risking data breaches, operational disruption, and reputational damage. Given the device’s role in security and communication, attackers could manipulate intercom functions or intercept communications, impacting safety and operational continuity. The vulnerability’s network accessibility and lack of required authentication increase the attack surface, making remote exploitation feasible from outside the organization’s perimeter. This elevates the threat level for European organizations with exposed or poorly segmented Zenitel TCIV-3+ devices.

1. Immediately monitor Zenitel’s official channels for patches and apply them as soon as they become available. 2. Until patches are released, restrict access to the TCIV-3+ management interfaces to trusted internal networks using firewall rules or VPNs. 3. Deploy Web Application Firewalls (WAFs) with robust XSS detection and filtering capabilities to block malicious payloads targeting the device. 4. Conduct thorough input validation and sanitization on any web-facing components interacting with the device, if customization is possible. 5. Implement network segmentation to isolate TCIV-3+ devices from general user networks and limit lateral movement opportunities. 6. Regularly audit device logs and network traffic for signs of suspicious activity or exploitation attempts. 7. Educate users and administrators about the risks of clicking unknown links or accessing untrusted URLs related to the device. 8. Consider disabling unnecessary web interfaces or services on the device to reduce the attack surface.