This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
An attacker with access to an authenticated session of a Zenitel TCIS-3 device can inject malicious system commands into the hostname configuration field. Input data is not properly sanitized before being passed to the system command interpreter, which allows embedding and executing arbitrary code. Due to the AV:N vector and lack of user interaction requirements (UI:N), the attack can be conducted remotely over the network.
Successful exploitation of the vulnerability allows an attacker to gain full control over the device – reading and modifying data, disrupting its operation (denial of service), and due to the changed scope (S:C) potentially also lateral movement in the network to which the device is connected.
Apply patches available from the manufacturer according to the references – details are contained in the Zenitel Security Advisory A100K12333 document available at the address indicated in the references. Until the patch is applied, it is recommended to restrict access to the device management interface to trusted IP addresses only and enforce strong authentication.
Zenitel TCIS-3 and Zenitel TCIS-3 Firmware – specific versions indicated in the manufacturer references (Zenitel advisory No. A100K12333)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HZenitel Tcis 3
HWZenitelwszystkie wersjeZenitel Tcis 3 Firmware
OSZenitel< 9.2.3.3
Related vulnerabilities
Command Injection w Zenitel Tcis-3 via nazwa przesyłanego pliku
This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.
RCE poprzez command injection w polu hostname urządzeń Zenitel ICx500/ICx510
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and d...
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file...