CVE-2025-64130 identifies a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 in the Zenitel TCIV-3+ intercom system. Reflected XSS occurs when untrusted user input is immediately returned by a web application without proper sanitization, allowing attackers to inject malicious JavaScript code. This vulnerability is remotely exploitable over the network without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is critical (CVSS 9.8), affecting confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation can lead to arbitrary script execution in the victim’s browser, enabling attackers to steal session cookies, perform actions on behalf of the user, or pivot into the internal network. The Zenitel TCIV-3+ device is commonly used in communication and security systems, often integrated into critical infrastructure environments. Although no public exploits or patches are currently available, the vulnerability’s severity demands immediate attention. The lack of patches suggests that organizations must rely on compensating controls until a vendor fix is released. The vulnerability was reserved on 2025-10-27 and published on 2025-11-26, indicating recent discovery and disclosure.

For European organizations, the impact of this vulnerability is significant, especially for those relying on Zenitel TCIV-3+ devices in critical infrastructure such as transportation hubs, public safety communication, and industrial control systems. Exploitation could lead to unauthorized access to sensitive communications, manipulation of intercom functions, and potential disruption of security operations. The ability to execute arbitrary JavaScript remotely without authentication increases the risk of widespread compromise, including data theft, espionage, and operational disruption. Given the critical nature of these systems, attacks could have cascading effects on public safety and business continuity. Additionally, compromised devices could serve as footholds for lateral movement within enterprise networks. The absence of known exploits in the wild provides a window for proactive defense, but the critical severity score underscores the urgency of mitigation.

1. Immediately segment networks to isolate Zenitel TCIV-3+ devices from general user and internet-facing networks to reduce exposure. 2. Implement strict web application firewalls (WAFs) with custom rules to detect and block reflected XSS attack patterns targeting the device’s web interface. 3. Conduct thorough input validation and sanitization on any user-supplied data interacting with the device’s web services, if customization or integration is possible. 4. Monitor network traffic and device logs for unusual or suspicious activity indicative of attempted exploitation. 5. Restrict access to the device’s management interfaces to trusted IP addresses and enforce multi-factor authentication where possible. 6. Engage with Zenitel for timely patch releases and apply updates immediately upon availability. 7. Educate staff on the risks of reflected XSS and ensure secure browsing practices when accessing device interfaces. 8. Consider deploying endpoint detection and response (EDR) tools on systems interacting with these devices to detect potential compromise.