Overview
CVE-2025-64130 is a critical security vulnerability affecting Zenitel TCIV-3+ intercom systems. This vulnerability is a reflected Cross-Site Scripting (XSS) issue, which can be exploited by a remote attacker to execute arbitrary JavaScript code within a victim’s browser. Successful exploitation of this vulnerability can lead to session hijacking, defacement of the intercom’s web interface, or redirection of the user to malicious websites.
Technical Details
The vulnerability lies in the handling of user-supplied input within the web interface of the Zenitel TCIV-3+ device. Specifically, certain parameters are not properly sanitized before being reflected back to the user’s browser. An attacker can craft a malicious URL containing JavaScript code embedded within a vulnerable parameter. When a user clicks on this crafted link (or is otherwise tricked into loading it), the malicious script will be executed in their browser, within the security context of the Zenitel TCIV-3+ web application.
This is a reflected XSS vulnerability, meaning the malicious script is not stored on the server itself, but rather is reflected back to the user immediately in the response. This type of attack relies on social engineering or other methods to entice a user to click the malicious link.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 9.8 (Critical). This high score reflects the severity of the potential impact and the relative ease of exploitation. The CVSS vector string and breakdown are as follows (example interpretation):
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network (AV:N) – The attack can be performed remotely over the network.
- Attack Complexity: Low (AC:L) – The attack is relatively easy to execute.
- Privileges Required: None (PR:N) – No privileges are required to exploit the vulnerability.
- User Interaction: Required (UI:R) – User interaction is required to trigger the vulnerability (e.g., clicking a malicious link).
- Scope: Changed (S:C) – An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.
- Confidentiality Impact: High (C:H) – There is a high impact on confidentiality.
- Integrity Impact: High (I:H) – There is a high impact on integrity.
- Availability Impact: None (A:N) – There is no impact on availability.
Possible Impact
Successful exploitation of CVE-2025-64130 can have significant consequences:
- Account Hijacking: An attacker could steal the user’s session cookie, allowing them to impersonate the user and gain unauthorized access to the intercom system’s settings.
- System Defacement: The attacker could modify the web interface of the Zenitel TCIV-3+ device, potentially displaying misleading or malicious information.
- Malware Distribution: The attacker could redirect the user to a malicious website to download and install malware.
- Information Theft: If the intercom system stores sensitive information, the attacker could potentially steal this data.
Mitigation and Patch Steps
Zenitel has released a firmware update to address this vulnerability. Users of Zenitel TCIV-3+ devices are strongly advised to upgrade to the latest firmware version as soon as possible. Follow these steps to mitigate the risk:
- Download the Latest Firmware: Download the latest firmware package from the official Zenitel website. You can find the firmware packages at the following location: Zenitel Downloads.
- Apply the Firmware Update: Follow the instructions provided by Zenitel for upgrading the firmware of your TCIV-3+ device. Ensure you back up your configuration before performing the upgrade.
- Educate Users: Train users to be cautious about clicking on links from untrusted sources or opening suspicious attachments.
References
CISA CSAF Advisory
Zenitel Downloads – Station and Device Firmware
CISA ICS Advisory – ICSA-25-329-03
