CVE-2025-64090 Overview
CVE-2025-64090 is a command injection vulnerability affecting Zenitel TCIS-3 intercom devices. Authenticated attackers can execute arbitrary operating system commands by supplying crafted input to the device hostname field. The flaw is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command and carries a network attack vector with low privilege requirements. Successful exploitation impacts confidentiality, integrity, and availability of the affected device.
Critical Impact
Authenticated attackers can execute arbitrary commands on Zenitel TCIS-3 devices through the hostname configuration parameter, leading to full device compromise.
Affected Products
- Zenitel TCIS-3 (hardware)
- Zenitel TCIS-3 Firmware
- All firmware versions prior to the vendor-issued security update
Discovery Timeline
- 2026-01-09 - CVE-2025-64090 published to the National Vulnerability Database
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-64090
Vulnerability Analysis
The vulnerability resides in the hostname configuration handler of the TCIS-3 firmware. The device accepts a user-supplied hostname value through its management interface and passes that value into a system command without proper neutralization of shell metacharacters. Because the hostname is interpreted by an underlying shell, attackers can append additional commands using standard operators such as semicolons, backticks, or command substitution syntax.
Exploitation requires valid authentication to the device management interface. Once authenticated, an attacker can modify the hostname value to embed arbitrary commands that the firmware executes with the privileges of the configuration process. The resulting code execution gives the attacker control over the intercom device, which is commonly deployed in critical access-control and communication scenarios.
Root Cause
The firmware constructs shell commands using string concatenation that includes the hostname value. The input is not sanitized, escaped, or validated against an allow-list of legitimate hostname characters. This pattern matches CWE-77, where untrusted input flows directly into a command interpreter.
Attack Vector
The attack is performed remotely over the network against the device management interface. An attacker first obtains valid credentials, then submits a malicious hostname value containing shell command separators followed by attacker-controlled commands. The firmware writes the value and invokes a shell, which executes the injected payload. No user interaction is required after authentication.
No verified public proof-of-concept code is available. Refer to the Zenitel Security Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2025-64090
Indicators of Compromise
- Unexpected modifications to the device hostname containing shell metacharacters such as ;, &, |, `, or $(
- Outbound network connections from TCIS-3 devices to unfamiliar hosts or command-and-control infrastructure
- New or unauthorized processes spawned by the configuration daemon on the device
- Configuration audit log entries showing hostname changes from administrative or non-administrative accounts
Detection Strategies
- Inspect configuration backups and management API logs for hostname values containing non-RFC-1123 characters
- Monitor authentication logs on TCIS-3 devices for successful logins followed by configuration changes
- Correlate failed authentication attempts with subsequent successful logins to identify credential brute-force activity
- Deploy network traffic analysis to flag anomalous egress from intercom VLANs
Monitoring Recommendations
- Forward TCIS-3 syslog output to a centralized logging platform for retention and correlation
- Alert on any change to device hostname outside of approved change windows
- Baseline normal management interface access patterns and alert on deviations
- Restrict and log all administrative sessions to the device management plane
How to Mitigate CVE-2025-64090
Immediate Actions Required
- Apply the firmware update referenced in the Zenitel Security Advisory A100K12333 as soon as it is available for your deployment
- Rotate all administrative credentials on affected TCIS-3 devices
- Audit existing hostname values across all devices and reset any containing unexpected characters
- Restrict management interface access to a dedicated administration network or jump host
Patch Information
Zenitel has published security advisory A100K12333 describing the vulnerability and remediation guidance. Administrators should consult the vendor advisory for fixed firmware versions and upgrade procedures specific to their TCIS-3 deployment.
Workarounds
- Place TCIS-3 devices behind a network segment that blocks direct access to the management interface from general user networks
- Enforce strong, unique credentials and multi-factor authentication where supported by the management infrastructure
- Disable or limit administrative accounts to the minimum required for operations
- Monitor and alert on any hostname configuration change until firmware updates are deployed
# Example firewall rule restricting TCIS-3 management access to a jump host
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.5 -d <tcis3_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -d <tcis3_ip> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

