Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64092

CVE-2025-64092: Zenitel Icx500 Firmware SQLi Vulnerability

CVE-2025-64092 is an SQL injection flaw in Zenitel Icx500 Firmware that allows unauthenticated attackers to query the database through GET parameters. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-64092 Overview

CVE-2025-64092 is a SQL injection vulnerability [CWE-89] affecting Zenitel ICX500 and ICX510 intercom controller firmware. Unauthenticated attackers can inject SQL statements through GET request parameters and query the underlying database directly. The flaw is reachable over the network without user interaction or prior authentication.

Zenitel ICX500 and ICX510 devices are used in critical communication deployments including transportation hubs, industrial facilities, and security installations. Successful exploitation exposes sensitive configuration and operational data stored within the device database.

Critical Impact

Remote unauthenticated attackers can extract sensitive data from the device database by injecting SQL into GET parameters on Zenitel ICX500 and ICX510 intercom systems.

Affected Products

  • Zenitel ICX500 (hardware) and ICX500 firmware
  • Zenitel ICX510 (hardware) and ICX510 firmware
  • Deployments exposing the management interface to untrusted networks

Discovery Timeline

  • 2026-01-09 - CVE-2025-64092 published to NVD
  • 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2025-64092

Vulnerability Analysis

The vulnerability resides in the web management interface of the Zenitel ICX500 and ICX510 firmware. The application accepts user-controlled values within GET request parameters and concatenates them into SQL statements without parameterization or sanitization. An attacker who crafts a request with embedded SQL syntax causes the backend to execute the injected query against the device database.

Because the affected endpoints do not require authentication, attackers can reach the vulnerable parameters by issuing direct HTTP requests. The injected statements run with the privileges of the database account used by the web application, which typically grants read access to configuration tables, user records, and operational data.

Exploitation does not require user interaction or specialized tooling. Standard SQL injection techniques such as UNION-based extraction, boolean-based blind injection, and time-based blind injection apply against the vulnerable parameters.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The firmware constructs SQL queries by string concatenation with user input from HTTP GET parameters rather than using prepared statements or parameterized queries. Missing input validation and the absence of authentication on the affected endpoints compound the issue.

Attack Vector

The attack vector is network-based. An attacker sends a crafted HTTP GET request to a vulnerable endpoint on the ICX500 or ICX510 management interface. The request contains SQL syntax appended to a parameter value that the backend incorporates into a database query. The database executes the injected statement and returns results, error messages, or behavioral signals the attacker uses to extract data.

Devices exposed directly to the internet or reachable from untrusted network segments face the highest risk. See the Zenitel Security Advisory for vendor technical details.

Detection Methods for CVE-2025-64092

Indicators of Compromise

  • HTTP GET requests to the ICX500 or ICX510 web interface containing SQL keywords such as UNION, SELECT, SLEEP(, BENCHMARK(, or comment markers (--, /*)
  • URL-encoded SQL metacharacters including %27 (single quote), %22 (double quote), and %3B (semicolon) in request parameters
  • Anomalous spikes in database error responses or unusually long response times indicating blind injection probing
  • Repeated parameter fuzzing from a single source IP against the management interface

Detection Strategies

  • Inspect web server access logs on Zenitel devices for SQL syntax patterns in query strings
  • Deploy network-based IDS signatures for common SQL injection payloads targeting HTTP parameters
  • Monitor for unauthenticated access attempts against management endpoints from non-administrative source addresses
  • Correlate outbound connections from ICX devices with timing patterns consistent with blind SQL injection exfiltration

Monitoring Recommendations

  • Forward web access logs from ICX500 and ICX510 devices to a central SIEM for query string analysis
  • Alert on HTTP requests to the management interface originating from outside the administrative network segment
  • Track baseline request volumes and flag deviations that suggest automated injection tooling
  • Review database service logs for unexpected query structures or schema enumeration attempts

How to Mitigate CVE-2025-64092

Immediate Actions Required

  • Restrict network access to the ICX500 and ICX510 management interfaces to trusted administrative subnets only
  • Remove any direct internet exposure of affected devices using firewall or ACL rules
  • Review device logs for evidence of prior SQL injection attempts against management endpoints
  • Apply the firmware update referenced in the Zenitel security advisory once available for your deployment

Patch Information

Zenitel has published an advisory documenting the vulnerability and remediation guidance. Refer to the Zenitel Security Advisory A100K12333 for the fixed firmware versions and upgrade procedure. Apply the vendor-supplied firmware to all ICX500 and ICX510 units in production.

Workarounds

  • Place affected devices behind a VPN or jump host so the management interface is not reachable from general user networks
  • Configure network segmentation that isolates intercom controllers from corporate and guest networks
  • Enforce source IP allow-lists at the network layer for HTTP access to the device web interface
  • Disable the web management interface entirely on devices where it is not actively required
bash
# Example firewall rule restricting access to the ICX management interface
# Replace ADMIN_SUBNET and DEVICE_IP with your actual values
iptables -A INPUT -p tcp -s ADMIN_SUBNET --dport 80 -d DEVICE_IP -j ACCEPT
iptables -A INPUT -p tcp -s ADMIN_SUBNET --dport 443 -d DEVICE_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d DEVICE_IP -j DROP
iptables -A INPUT -p tcp --dport 443 -d DEVICE_IP -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.