CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-64093

CVSS 10.0v3.1pub. 2026-01-09upd. 2026-02-10

Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.

🤖 AI Analysis
How it works

The command injection vulnerability (CWE-77) exists because the application does not properly validate input data passed to the device's hostname field. An attacker without any authentication can inject arbitrary system commands that will be executed in the context of the device. The attack vector is network-based, requires no user interaction or special privileges, and the scope of the attack extends beyond the component itself (S:C).

Impact

An attacker can gain full control over the device, obtaining the highest level of confidentiality, integrity, and availability of the system — including reading configuration data, modifying device settings, and potentially disrupting its operation. It is also possible to use the compromised device as an entry point for further lateral movement within the network.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed information about the patched firmware versions is contained in the official Zenitel Security Advisory (A100K12333) available at the address indicated in the references. Until the update is applied, it is recommended to isolate devices from public networks and restrict access to them exclusively to trusted network segments.

Who is affected

Zenitel ICx500 and ICx510 devices (firmware and hardware) — specific firmware versions indicated in the manufacturer's references (Security Advisory A100K12333).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Zenitel Icx500

    HW
    Zenitel
    wszystkie wersje
  • Zenitel Icx500 Firmware

    OS
    Zenitel
    < 1.4.3.3
  • Zenitel Icx510

    HW
    Zenitel
    wszystkie wersje
  • Zenitel Icx510 Firmware

    OS
    Zenitel
    < 1.4.3.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-64092HIGH7.5ten sam produkt

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and d...

CVE-2025-59818CRITICAL10.0PL ✓ten sam vendor

Command Injection w Zenitel Tcis-3 via nazwa przesyłanego pliku

CVE-2025-64090CRITICAL10.0PL ✓ten sam vendor

Command injection w Zenitel TCIS-3 – wykonanie poleceń przez hostname

CVE-2025-64091HIGH8.6ten sam vendor

This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.

CVE-2021-40845HIGH8.8ten sam vendor

The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file...