Cyber Resilience

CVE-2025-64093

CriticalRCE

Published: 09 January 2026

Published
09 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0071 48.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-64093 is a critical-severity Command Injection (CWE-77) vulnerability in Zenitel Icx500 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-64093 is a remote code execution vulnerability stemming from command injection (CWE-77) in Zenitel devices. It enables unauthenticated attackers to inject arbitrary commands into the device's hostname. The vulnerability carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impact across confidentiality, integrity, and availability with a changed scope.

Unauthenticated attackers with network access to affected Zenitel devices can exploit this vulnerability remotely. By injecting malicious commands into the hostname field, they achieve remote code execution, potentially compromising the entire device and enabling full control over its operations.

Zenitel has published a security advisory detailing mitigations and patches at https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf. Security practitioners should consult this document for specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2025-64093 enables unauthenticated remote code execution through command injection in the hostname field of public-facing Zenitel devices, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64092Same product: Zenitel Icx500
CVE-2025-64090Same vendor: Zenitel
CVE-2025-59818Same vendor: Zenitel
CVE-2025-64091Same vendor: Zenitel
CVE-2024-34166Shared CWE-77
CVE-2026-26093Shared CWE-77
CVE-2025-56425Shared CWE-77
CVE-2024-55062Shared CWE-77
CVE-2024-54660Shared CWE-77
CVE-2026-3854Shared CWE-77

Affected Assets

zenitel
icx500 firmware
≤ 1.4.3.3
zenitel
icx510 firmware
≤ 1.4.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements input validation on the hostname field to block arbitrary command injection by unauthenticated attackers.

prevent

Restricts hostname modifications and related functions to only authorized users, preventing unauthenticated access exploitation.

prevent

Mandates timely patching of the specific command injection flaw in Zenitel devices as per the vendor advisory.

References