CRITICAL🇵🇱 Wersja polska

CVE-2025-64126

CVSS 10.0v4.0pub. 2025-11-26upd. 2026-04-15

An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.

🤖 AI Analysis
How it works

The application accepts a parameter directly from the user without verifying whether it is a valid IP address or filtering potentially malicious characters. Lack of input validation (CWE-78) allows an attacker to inject arbitrary system commands through a crafted request. The attack can be conducted remotely over the network without requiring any privileges or user interaction.

Impact

An unauthenticated attacker can execute arbitrary commands in the system context of the device, leading to complete device takeover, breach of data confidentiality and integrity, and potential disruption of OT/ICS system availability.

Mitigation & patch

Apply patches available from the manufacturer according to references — firmware update available at https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 and in accordance with guidelines from CISA advisory ICSA-25-329-03

Who is affected

Zenitel station and device firmware software (VS-IS package — Station and Device Firmware Package); specific versions indicated in manufacturer references and CISA advisory ICSA-25-329-03

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassCommand Injection
CWE
References