cbcvebase.
CVE-2025-64126
published 2025-11-26

CVE-2025-64126: An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying…

PriorityP275critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
2.28%
80.9th percentile
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
zeniteltciv-3<= 9.3.3.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-64126 targets Zenitel TCIV-3+ devices (all versions prior to 9.3.3.0): detect unauthenticated HTTP requests supplying an unsanitized IP address parameter that contains shell metacharacters (e.g., semicolons, pipes, backticks, $() constructs) indicative of OS command injection attempts.
  • No authentication is required to exploit CVE-2025-64126; monitor for unauthenticated requests to Zenitel TCIV-3+ web interfaces that include non-IP-address characters in parameters expected to carry IP address values.
  • Zenitel TCIV-3+ is deployed in the Communications critical infrastructure sector worldwide; prioritize detection and network segmentation for these devices, especially any exposed to internet-accessible networks.
  • ·All versions of Zenitel TCIV-3+ prior to 9.3.3.0 are affected by CVE-2025-64126; version 9.3.3.0 and later are patched. Detection rules should target unpatched devices running firmware below this version.
  • ·No known public exploitation of CVE-2025-64126 has been reported as of the advisory publication date (November 25, 2025); threat hunting should be treated as proactive rather than reactive at this time.
  • ·CVE-2025-64126 is one of three OS command injection CVEs (CVE-2025-64126, CVE-2025-64127, CVE-2025-64128) affecting the same product; detection logic should account for all three injection vectors, not just the IP address parameter targeted by CVE-2025-64126.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.