CVE-2025-64092 Overview
CVE-2025-64092 is a SQL injection vulnerability [CWE-89] affecting Zenitel ICX500 and ICX510 intercom controller firmware. Unauthenticated attackers can inject SQL statements through GET request parameters and query the underlying database directly. The flaw is reachable over the network without user interaction or prior authentication.
Zenitel ICX500 and ICX510 devices are used in critical communication deployments including transportation hubs, industrial facilities, and security installations. Successful exploitation exposes sensitive configuration and operational data stored within the device database.
Critical Impact
Remote unauthenticated attackers can extract sensitive data from the device database by injecting SQL into GET parameters on Zenitel ICX500 and ICX510 intercom systems.
Affected Products
- Zenitel ICX500 (hardware) and ICX500 firmware
- Zenitel ICX510 (hardware) and ICX510 firmware
- Deployments exposing the management interface to untrusted networks
Discovery Timeline
- 2026-01-09 - CVE-2025-64092 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-64092
Vulnerability Analysis
The vulnerability resides in the web management interface of the Zenitel ICX500 and ICX510 firmware. The application accepts user-controlled values within GET request parameters and concatenates them into SQL statements without parameterization or sanitization. An attacker who crafts a request with embedded SQL syntax causes the backend to execute the injected query against the device database.
Because the affected endpoints do not require authentication, attackers can reach the vulnerable parameters by issuing direct HTTP requests. The injected statements run with the privileges of the database account used by the web application, which typically grants read access to configuration tables, user records, and operational data.
Exploitation does not require user interaction or specialized tooling. Standard SQL injection techniques such as UNION-based extraction, boolean-based blind injection, and time-based blind injection apply against the vulnerable parameters.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The firmware constructs SQL queries by string concatenation with user input from HTTP GET parameters rather than using prepared statements or parameterized queries. Missing input validation and the absence of authentication on the affected endpoints compound the issue.
Attack Vector
The attack vector is network-based. An attacker sends a crafted HTTP GET request to a vulnerable endpoint on the ICX500 or ICX510 management interface. The request contains SQL syntax appended to a parameter value that the backend incorporates into a database query. The database executes the injected statement and returns results, error messages, or behavioral signals the attacker uses to extract data.
Devices exposed directly to the internet or reachable from untrusted network segments face the highest risk. See the Zenitel Security Advisory for vendor technical details.
Detection Methods for CVE-2025-64092
Indicators of Compromise
- HTTP GET requests to the ICX500 or ICX510 web interface containing SQL keywords such as UNION, SELECT, SLEEP(, BENCHMARK(, or comment markers (--, /*)
- URL-encoded SQL metacharacters including %27 (single quote), %22 (double quote), and %3B (semicolon) in request parameters
- Anomalous spikes in database error responses or unusually long response times indicating blind injection probing
- Repeated parameter fuzzing from a single source IP against the management interface
Detection Strategies
- Inspect web server access logs on Zenitel devices for SQL syntax patterns in query strings
- Deploy network-based IDS signatures for common SQL injection payloads targeting HTTP parameters
- Monitor for unauthenticated access attempts against management endpoints from non-administrative source addresses
- Correlate outbound connections from ICX devices with timing patterns consistent with blind SQL injection exfiltration
Monitoring Recommendations
- Forward web access logs from ICX500 and ICX510 devices to a central SIEM for query string analysis
- Alert on HTTP requests to the management interface originating from outside the administrative network segment
- Track baseline request volumes and flag deviations that suggest automated injection tooling
- Review database service logs for unexpected query structures or schema enumeration attempts
How to Mitigate CVE-2025-64092
Immediate Actions Required
- Restrict network access to the ICX500 and ICX510 management interfaces to trusted administrative subnets only
- Remove any direct internet exposure of affected devices using firewall or ACL rules
- Review device logs for evidence of prior SQL injection attempts against management endpoints
- Apply the firmware update referenced in the Zenitel security advisory once available for your deployment
Patch Information
Zenitel has published an advisory documenting the vulnerability and remediation guidance. Refer to the Zenitel Security Advisory A100K12333 for the fixed firmware versions and upgrade procedure. Apply the vendor-supplied firmware to all ICX500 and ICX510 units in production.
Workarounds
- Place affected devices behind a VPN or jump host so the management interface is not reachable from general user networks
- Configure network segmentation that isolates intercom controllers from corporate and guest networks
- Enforce source IP allow-lists at the network layer for HTTP access to the device web interface
- Disable the web management interface entirely on devices where it is not actively required
# Example firewall rule restricting access to the ICX management interface
# Replace ADMIN_SUBNET and DEVICE_IP with your actual values
iptables -A INPUT -p tcp -s ADMIN_SUBNET --dport 80 -d DEVICE_IP -j ACCEPT
iptables -A INPUT -p tcp -s ADMIN_SUBNET --dport 443 -d DEVICE_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d DEVICE_IP -j DROP
iptables -A INPUT -p tcp --dport 443 -d DEVICE_IP -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

