URGENT PATCH REQUIRED: Zenitel TCIV-3+ Intercoms Hit by Multiple Critical Flaws (CVSS 9.8)

Estimated reading time: 7 minutes

Key Takeaways:

  • Zenitel has released an urgent security advisory for its TCIV-3+ intercom station.
  • Five distinct security flaws were identified, with three carrying a CVSS v3 base score of 9.8.
  • Successful exploitation could result in arbitrary code execution or a denial-of-service condition.
  • Immediate action is required to upgrade to Version 9.3.3.0 or later.
  • PurpleOps can help mitigate these risks with cyber threat intelligence, breach detection, and supply-chain risk monitoring.

Table of Contents:

Zenitel has released an urgent security advisory, alongside a CISA report, regarding several critical vulnerabilities discovered in its TCIV-3+ intercom station. The advisory highlights five distinct security flaws, with three of these vulnerabilities carrying the maximum severity CVSS v3 base score of 9.8. This blog post examines these vulnerabilities and their implications.

The vulnerabilities affect all versions of TCIV-3+ prior to 9.3.3.0. According to the advisory, successful exploitation of these flaws “could result in arbitrary code execution or cause a denial-of-service condition.” Given the potential impact, immediate action is required.

Critical Vulnerabilities in Zenitel TCIV-3+ Intercoms (CVSS 9.8)

The most severe threats involve three separate instances of OS Command Injection (CVE-2025-64126, CVE-2025-64127, and CVE-2025-64128), each scoring a CVSS of 9.8. These vulnerabilities arise from inadequate validation of user-supplied input.

  • CVE-2025-64126: This vulnerability exists because the application “accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters.” Exploitation “could allow an unauthenticated attacker to inject arbitrary commands.”
  • CVE-2025-64127: This is caused by “insufficient sanitization of user-supplied input,” where parameters are subsequently “incorporated into OS commands without adequate validation.” An unauthenticated attacker could leverage this to “execute arbitrary commands remotely.”
  • CVE-2025-64128: This stems from the “incomplete validation of user-supplied input,” which “could permit attackers to append arbitrary data” and “inject arbitrary commands.”

In addition to these OS Command Injection flaws, the advisory details two further high-impact vulnerabilities:

  • Cross-Site Scripting (XSS) (CVE-2025-64130): This reflected XSS flaw also has a CVSS score of 9.8. It “could allow a remote attacker to execute arbitrary JavaScript on the victim’s browser.”
  • Out-of-Bounds Write (CVE-2025-64129): This vulnerability, rated at CVSS 7.6, “could allow a remote attacker to crash the device.”

Implications and Mitigation

The presence of unauthenticated remote code execution vulnerabilities (CVSS 9.8) poses a significant risk. Attackers could potentially gain complete control over affected devices without needing any credentials. This control could be used to disrupt communications, eavesdrop on conversations, or pivot to other systems on the network. The XSS vulnerability further expands the attack surface, potentially allowing attackers to compromise users who interact with the intercom system through a web browser. The out-of-bounds write vulnerability, while less severe, could still lead to denial-of-service conditions, impacting the availability of the intercom system.

Zenitel recommends upgrading to Version 9.3.3.0 or later to address these vulnerabilities. Given the high potential for exploitation, patching is critical for maintaining the security and availability of these communication devices. Organizations should prioritize this update to minimize their exposure to these risks.

Actionable Advice

Technical Readers:

  • Immediate Patching: Prioritize the upgrade to Zenitel TCIV-3+ Version 9.3.3.0 or later.
  • Network Segmentation: Isolate intercom systems on a separate network segment to limit the potential impact of a compromise.
  • Input Validation: Implement stricter input validation and sanitization measures in any custom applications or integrations that interact with the intercom system.
  • Breach Detection: Deploy intrusion detection systems and security monitoring tools to detect and respond to any suspicious activity targeting the intercom system.
  • PurpleOps Solutions: Use a cyber threat intelligence platform to stay informed about emerging threats and vulnerabilities targeting VoIP and intercom systems.
  • Real-time Ransomware Intelligence: Implement real-time ransomware intelligence feeds to identify and block malicious traffic associated with ransomware attacks that could target the intercom system or connected networks.

Non-Technical Readers:

  • Verify Software Version: Check the current software version of your Zenitel TCIV-3+ intercom systems.
  • Contact IT Support: If you are not responsible for managing the intercom system, contact your IT support team and inform them about the vulnerabilities.
  • Prioritize Patching: Ensure that IT support prioritizes the patching of the intercom system to the latest version.
  • Understand Risks: Understand the potential risks associated with unpatched vulnerabilities, including disruption of communications and potential data breaches.
  • Supply-Chain Risk Monitoring: Ensure that your organization has a supply-chain risk monitoring process in place to assess the security posture of vendors like Zenitel.
  • Telegram Threat Monitoring: Monitor relevant Telegram channels and groups for discussions about exploits or attacks targeting Zenitel TCIV-3+ intercoms.
  • Brand Leak Alerting: Set up brand leak alerting to be notified if sensitive information related to your organization and its use of Zenitel products is leaked online.

How PurpleOps Can Help

PurpleOps specializes in providing comprehensive cybersecurity solutions, including services relevant to mitigating risks associated with vulnerabilities like those found in the Zenitel TCIV-3+ intercoms. Our services include:

  • PurpleOps Solutions: PurpleOps provides actionable cyber threat intelligence, helping organizations stay ahead of emerging threats and vulnerabilities. This includes insights into potential exploits targeting VoIP and intercom systems, allowing for proactive security measures.
  • Breach Detection: PurpleOps offers advanced breach detection capabilities, enabling organizations to identify and respond to suspicious activity targeting their networks and devices, including intercom systems.
  • Supply-Chain Risk Monitoring: PurpleOps helps organizations assess and manage the security risks associated with their supply chain, including vendors like Zenitel. This involves continuous monitoring of vendor security postures and identifying potential vulnerabilities.
  • Dark Web Monitoring: PurpleOps can monitor the dark web for discussions about exploits or attacks targeting Zenitel TCIV-3+ intercoms, providing early warning of potential threats.
  • Underground Forum Intelligence: PurpleOps gathers intelligence from underground forums frequented by cybercriminals, providing insights into emerging threats and vulnerabilities before they are widely known.
  • Live Ransomware API: PurpleOps offers a live ransomware API that provides real-time information about ransomware attacks, helping organizations identify and block malicious traffic targeting their networks and devices.

By leveraging PurpleOps’ expertise, organizations can enhance their security posture, mitigate risks associated with vulnerabilities, and protect their critical communication infrastructure.

Call to Action

To learn more about how PurpleOps can help you protect your organization from cyber threats, including vulnerabilities in critical communication systems, visit our website to explore our PurpleOps Solutions or contact us for a personalized consultation at our platform. You might also be interested in our red team operations or to understand the current gaps in your threat model. We can also help you understand your supply chain risks, to protect you from ransomware, or to setup dark web monitoring to catch brand leaks or understand underground chatter about exploits.

FAQ

What versions of Zenitel TCIV-3+ are affected?
All versions prior to 9.3.3.0 are affected.

What are the potential impacts of these vulnerabilities?
Exploitation could lead to arbitrary code execution, denial-of-service conditions, or compromise of user browsers.

What is the recommended mitigation?
Upgrade to Zenitel TCIV-3+ Version 9.3.3.0 or later.

How can PurpleOps help?
PurpleOps provides cyber threat intelligence, breach detection, supply-chain risk monitoring, and dark web monitoring services.