CISA issues alert on vulnerabilities in Zenitel TCIV-3+ devices

Zenitel's TCIV-3+ equipment contains vulnerabilities including Operating System (OS) command injection, out-of-bounds write, and Cross-Site Scripting (XSS), which can lead to unauthorized code execution or service disruption.

All versions of TCIV-3+ prior to 9.3.3.0 are affected by these issues. Three distinct OS command injection vulnerabilities have been identified, each assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2025-64126, CVE-2025-64127, and CVE-2025-64128, respectively. Each has a Common Vulnerability Scoring System (CVSS) v3 base score of 9.8 and a CVSS v4 base score of 10.0. The vulnerabilities arise from inadequate input validation and sanitization across different application parameters, allowing unauthenticated remote attackers to execute arbitrary commands. Additionally, an out-of-bounds write vulnerability (CVE-2025-64129) with a CVSS v3 score of 7.6 and CVSS v4 score of 7.0 can lead to device crashes. A reflected XSS vulnerability (CVE-2025-64130) with a CVSS v3 score of 9.8 and CVSS v4 score of 9.3 permits remote attackers to run arbitrary JavaScript in victims' browsers.

Exploitation of these flaws could result in arbitrary code execution or Denial of Service (DoS) conditions affecting the TCIV-3+ devices.

Zenitel advises upgrading affected devices to firmware version 9.3.3.0 or later to address these security issues. No public reports of exploit activity targeting these vulnerabilities have been indicated.

Measures to reduce exposure include limiting network accessibility of control system devices, placing these systems behind firewalls, isolating them from business networks, and employing secure remote access technologies such as up-to-date virtual private networks. Organizations should conduct risk assessments before implementing defensive controls. Additional best practices and recommendations related to industrial control system security are available through relevant cybersecurity resources. Incidents of suspicious activity should be reported according to organizational procedures for further analysis and information sharing.