CVE-2025-64130
Published: 26 November 2025
Summary
CVE-2025-64130 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Zenitel TCIV-3 (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-64130 is a reflected cross-site scripting (XSS) vulnerability in the Zenitel TCIV-3+ intercom device. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges or user interaction to execute arbitrary JavaScript code in the victim's browser when the victim accesses the affected device.
CISA ICS Advisory ICSA-25-329-03, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 and in CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json, provides details on the vulnerability. Zenitel offers firmware updates via the Station and Device Firmware Package (VS-IS) on their wiki at https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199738
Vulnerability details
Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing web interface of the Zenitel TCIV-3+ device directly enables remote exploitation of a public-facing application without privileges or user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying Zenitel's firmware updates directly remediates the reflected XSS flaw in the TCIV-3+ web interface.
Output filtering encodes reflected inputs to prevent arbitrary JavaScript execution in victims' browsers.
Input validation rejects or sanitizes malicious payloads before they are reflected in web responses.