Cyber Resilience

CVE-2025-59818

CriticalRCE

Published: 04 February 2026

Published
04 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0048 37.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-59818 is a critical-severity Command Injection (CWE-77) vulnerability in Zenitel Tcis-3 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59818 is a command injection vulnerability (CWE-77) that enables authenticated attackers to execute arbitrary commands on the underlying system by manipulating the filename of an uploaded file. It affects Zenitel communication systems, including Turbine, VSF-Display Series, VSF-Fortitude6, VSF-Fortitude8, and ZIPS prior to version 9.3. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no user interaction required, and full impacts on confidentiality, integrity, and availability in a changed scope.

An authenticated attacker, despite the CVSS indicating no privileges required (PR:N), can exploit this flaw by uploading a specially crafted file whose filename injects and executes arbitrary operating system commands. Successful exploitation grants remote code execution on the affected device, potentially leading to complete system compromise, data exfiltration, or further lateral movement within the network.

Zenitel's release notes for version 9.3 across the affected products—Turbine, VSF-Display Series, VSF-Fortitude6, VSF-Fortitude8, and ZIPS—address this vulnerability, recommending upgrade to the patched 9.3 release as the primary mitigation. No additional workarounds are detailed in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection via manipulated filename in file upload feature of network-accessible communication systems enables exploitation of public-facing applications (T1190) and remote services (T1210), directly facilitating arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64090Same product: Zenitel Tcis-3
CVE-2025-64091Same product: Zenitel Tcis-3
CVE-2025-64093Same vendor: Zenitel
CVE-2025-64092Same vendor: Zenitel
CVE-2016-15057Shared CWE-77
CVE-2024-52325Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77

Affected Assets

zenitel
tcis-3 firmware
≤ 9.2.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by validating filenames of uploaded files to reject malicious payloads containing shell metacharacters.

prevent

Ensures timely remediation of the specific command injection flaw through patching to version 9.3 as recommended by the vendor.

prevent

Restricts filenames at file upload boundaries to safe character sets or patterns, blocking injection attempts via disallowed metacharacters.

References