CVE-2025-64129 Overview
CVE-2025-64129 is an out-of-bounds write vulnerability [CWE-787] affecting the Zenitel TCIV-3+ intercom device. A remote attacker can exploit the flaw to crash the device, resulting in a denial-of-service condition. The issue is tracked by CISA in ICS Advisory ICSA-25-329-03, indicating impact on operational technology (OT) environments where Zenitel intercoms are deployed for communication and access control.
Exploitation requires network access and some user interaction, according to the CVSS 4.0 vector. No authentication is required, which lowers the barrier for an attacker on a reachable network segment.
Critical Impact
Remote attackers can trigger an out-of-bounds write that crashes the Zenitel TCIV-3+ device, disrupting intercom and communication services in operational technology environments.
Affected Products
- Zenitel TCIV-3+ intercom device
- Zenitel station and device firmware (VS-IS package) prior to the vendor-supplied fix
- ICS/OT deployments using TCIV-3+ for communication and access control
Discovery Timeline
- 2025-11-26 - CVE-2025-64129 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64129
Vulnerability Analysis
The vulnerability is classified under [CWE-787] Out-of-Bounds Write. This class of flaw occurs when software writes data past the end, or before the beginning, of an intended buffer. The result is typically memory corruption that can crash the affected process or, in some cases, alter program control flow.
In the Zenitel TCIV-3+, the out-of-bounds write is reachable over the network and leads to a device crash. Public advisory information from CISA describes the impact as availability loss, consistent with the high availability impact rating in the CVSS 4.0 vector. The CVSS vector also notes user interaction is required, which suggests an attacker may need a user on the target side to trigger a specific action or accept an inbound request.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is an out-of-bounds write in the firmware of the TCIV-3+ device. The firmware writes to memory outside the boundaries of an allocated buffer when handling attacker-supplied input. Refer to the CISA ICS Advisory ICSA-25-329-03 for vendor-confirmed technical details.
Attack Vector
The attack vector is network-based. An attacker on a network path to the device sends crafted input that the firmware processes incorrectly. The CVSS 4.0 vector indicates low attack complexity, no required privileges, and active user interaction. Successful exploitation crashes the device, removing the intercom from service until restart or recovery.
No verified exploitation code is available. See the GitHub CSAF JSON File for the machine-readable advisory.
Detection Methods for CVE-2025-64129
Indicators of Compromise
- Unexpected reboots, watchdog resets, or unresponsive states on Zenitel TCIV-3+ devices
- Repeated loss of SIP or intercom registration from a TCIV-3+ endpoint
- Crash or restart entries in device system logs without operator action
- Inbound network traffic to the device from unexpected sources prior to a crash event
Detection Strategies
- Monitor device availability with ICMP and application-layer health checks against TCIV-3+ endpoints
- Alert on repeated short-interval restarts of the same intercom device
- Capture and review network flows targeting management and SIP ports on Zenitel devices
- Correlate device crash events with inbound connection attempts using a centralized log platform
Monitoring Recommendations
- Forward device syslog to a centralized SIEM and create rules for crash and restart events
- Baseline normal traffic to TCIV-3+ devices and alert on protocol anomalies
- Track firmware versions across the fleet to confirm patch status
- Review network segmentation between IT and OT zones containing intercom devices
How to Mitigate CVE-2025-64129
Immediate Actions Required
- Inventory all Zenitel TCIV-3+ devices and record current firmware versions
- Apply the vendor-supplied firmware update from the Zenitel Firmware Package Download page
- Restrict network reachability to TCIV-3+ devices using firewall rules and VLAN segmentation
- Follow the guidance in CISA ICS Advisory ICSA-25-329-03 for defense-in-depth controls
Patch Information
Zenitel publishes fixed firmware in the VS-IS Station and Device Firmware Package. Administrators should download the latest release from the official Zenitel wiki and follow the vendor upgrade procedure. CISA tracks the coordinated disclosure under advisory ICSA-25-329-03.
Workarounds
- Place TCIV-3+ devices behind a firewall and block direct exposure to untrusted networks
- Limit management access to a dedicated administrative VLAN or jump host
- Disable or restrict unused services and protocols on the device where supported
- Apply network access control lists permitting only known SIP and management peers
# Configuration example: restrict access to Zenitel TCIV-3+ on an upstream firewall
# Replace 10.10.20.0/24 with the management network and 10.10.30.10 with the device IP
iptables -A FORWARD -s 10.10.20.0/24 -d 10.10.30.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s 10.10.20.0/24 -d 10.10.30.10 -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -d 10.10.30.10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
