CVE-2025-64126

Name of the Vulnerable Software and Affected Versions Zenitel TCIV-3+ versions prior to 9.3.3.0

Description An OS command injection issue exists due to insufficient input validation. The application accepts user-supplied input without verifying it as a valid IP address or filtering potentially harmful characters. This allows an unauthenticated attacker to inject arbitrary commands. The vulnerability could allow a remote attacker to execute commands on the system, potentially gaining full control of the device. This could lead to eavesdropping on conversations, manipulation of access control systems, or use of the device as an entry point into a network. Additional issues include cross-site scripting (XSS) and a buffer overflow that can cause the device to crash.

Recommendations Update Zenitel TCIV-3+ to a version later than 9.3.3.0.