CRITICAL🇵🇱 Wersja polska

CVE-2025-64127

CVSS 10.0v4.0pub. 2025-11-26upd. 2026-04-15

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

🤖 AI Analysis
How it works

The application accepts parameters supplied by the user, which are then included in system commands without proper validation or sanitization. An unauthenticated attacker can supply crafted input containing malicious system commands. Since this data is not properly filtered (CWE-78), the system executes them with the privileges of the application process.

Impact

An attacker without any authentication can remotely execute arbitrary commands at the operating system level, which may lead to complete device takeover, data leakage, and violation of system integrity and availability.

Mitigation & patch

Apply patches available from the manufacturer according to references – firmware update available at https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 and in accordance with CISA advisory guidelines ICSA-25-329-03

Who is affected

Zenitel devices and firmware software (Station and Device Firmware Package – VS-IS); specific versions indicated in manufacturer references and in the CISA advisory ICSA-25-329-03

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassCommand Injection
CWE
References