CVE-2025-64127

CriticalRCE

Published: 26 November 2025

Published

26 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0832 92.4th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64127 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zenitel (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-2 (Separation of System and User Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of user-supplied input parameters before incorporation into OS commands, addressing the core cause of this command injection vulnerability.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific OS command injection flaw through firmware updates as recommended in CISA ICSA-25-329-03.

SC-2 Separation of System and User Functionality good match

prevent

Enforces separation between user functionality and system functionality to prevent unsanitized user input from directly invoking arbitrary OS commands.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection in public-facing firmware enables exploitation of public-facing application (T1190) and arbitrary command execution via Unix shell (T1059.004) on likely Linux-based ICS devices.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

Deeper analysisAI

CVE-2025-64127 is an OS command injection vulnerability (CWE-78) caused by insufficient sanitization of user-supplied input. The affected application accepts parameters that are later incorporated into OS commands without adequate validation. Published on 2025-11-26, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). References, including CISA ICS Advisory ICSA-25-329-03 and Zenitel's wiki page for the Station and Device Firmware Package (VS-IS), document the issue.

An unauthenticated attacker can exploit the vulnerability remotely by supplying malicious input through affected parameters. Successful exploitation enables arbitrary OS command execution, potentially granting full control over the impacted system.

Mitigation details are available in the referenced advisories, including CISA ICSA-25-329-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03), Zenitel's firmware downloads wiki (https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29), and the CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json).