Cyber Resilience

CVE-2025-64090

CriticalRCE

Published: 09 January 2026

Published
09 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0036 27.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-64090 is a critical-severity Command Injection (CWE-77) vulnerability in Zenitel Tcis-3 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64090 is a command injection vulnerability (CWE-77) that affects Zenitel devices. Published on 2026-01-09, it allows authenticated attackers to execute arbitrary commands by manipulating the hostname of the device. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and potential for high impact across confidentiality, integrity, and availability in a changed scope.

Authenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables command execution on the affected device, potentially leading to full compromise including data exfiltration, modification, or disruption of services.

Zenitel has published a security advisory detailing the issue at https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf, which security practitioners should consult for mitigation steps and available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This vulnerability allows authenticated attackers to execute commands via the hostname of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in network-accessible Zenitel device enables exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59818Same product: Zenitel Tcis-3
CVE-2025-64091Same product: Zenitel Tcis-3
CVE-2025-64093Same vendor: Zenitel
CVE-2024-57590Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2024-39765Shared CWE-77
CVE-2025-29635Shared CWE-77
CVE-2024-39782Shared CWE-77
CVE-2024-13871Shared CWE-77
CVE-2025-50722Shared CWE-77

Affected Assets

zenitel
tcis-3 firmware
≤ 9.2.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection (CWE-77) by validating hostname inputs to block arbitrary command execution.

prevent

Remediates the specific vulnerability through timely patching as detailed in the Zenitel security advisory.

prevent

Limits damage from successful command injection by enforcing least privilege on processes handling hostname changes.

References