Cyber Resilience

CVE-2025-64127

CriticalRCE

Published: 26 November 2025

Published
26 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0832 92.5th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64127 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zenitel (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-2 (Separation of System and User Functionality) and SI-10 (Information Input Validation).

Deeper analysis

An OS command injection vulnerability tracked as CVE-2025-64127 and assigned CWE-78 was published on 2025-11-26. It arises from insufficient sanitization of user-supplied input, allowing parameters to be incorporated into operating system commands without adequate validation. The flaw carries a CVSS 4.0 score of 10.0 and affects an application that processes such input for command execution.

An unauthenticated remote attacker can supply crafted parameters to execute arbitrary operating system commands, resulting in complete loss of confidentiality, integrity, and availability on the affected system along with potential secondary impact to its environment.

CISA and vendor references, including ICSA-25-329-03 and related firmware package information, are published at the listed URLs and address the issue for affected deployments.

The associated EPSS score rose from a low baseline to a peak of 0.1088 on 2026-03-28 before receding to its current value of 0.0832, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote OS command injection in public-facing firmware enables exploitation of public-facing application (T1190) and arbitrary command execution via Unix shell (T1059.004) on likely Linux-based ICS devices.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Zenitel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied input parameters before incorporation into OS commands, addressing the core cause of this command injection vulnerability.

prevent

Mandates identification, reporting, and correction of the specific OS command injection flaw through firmware updates as recommended in CISA ICSA-25-329-03.

prevent

Enforces separation between user functionality and system functionality to prevent unsanitized user input from directly invoking arbitrary OS commands.

References