An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
The application accepts a parameter directly from the user without verifying whether it is a valid IP address or filtering potentially malicious characters. Lack of input validation (CWE-78) allows an attacker to inject arbitrary system commands through a crafted request. The attack can be conducted remotely over the network without requiring any privileges or user interaction.
An unauthenticated attacker can execute arbitrary commands in the system context of the device, leading to complete device takeover, breach of data confidentiality and integrity, and potential disruption of OT/ICS system availability.
Apply patches available from the manufacturer according to references — firmware update available at https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 and in accordance with guidelines from CISA advisory ICSA-25-329-03
Zenitel station and device firmware software (VS-IS package — Station and Device Firmware Package); specific versions indicated in manufacturer references and CISA advisory ICSA-25-329-03
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X