CVE-2025-64090

CriticalRCE

Published: 09 January 2026

Published

09 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0015 34.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64090 is a critical-severity Command Injection (CWE-77) vulnerability in Zenitel Tcis-3 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection (CWE-77) by validating hostname inputs to block arbitrary command execution.

SI-2 Flaw Remediation good match

prevent

Remediates the specific vulnerability through timely patching as detailed in the Zenitel security advisory.

AC-6 Least Privilege partial match

prevent

Limits damage from successful command injection by enforcing least privilege on processes handling hostname changes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in network-accessible Zenitel device enables exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

This vulnerability allows authenticated attackers to execute commands via the hostname of the device.

Deeper analysisAI

CVE-2025-64090 is a command injection vulnerability (CWE-77) that affects Zenitel devices. Published on 2026-01-09, it allows authenticated attackers to execute arbitrary commands by manipulating the hostname of the device. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and potential for high impact across confidentiality, integrity, and availability in a changed scope.

Authenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables command execution on the affected device, potentially leading to full compromise including data exfiltration, modification, or disruption of services.

Zenitel has published a security advisory detailing the issue at https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf, which security practitioners should consult for mitigation steps and available patches.