CVE-2025-64090
Published: 09 January 2026
Description
This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection (CWE-77) by validating hostname inputs to block arbitrary command execution.
Remediates the specific vulnerability through timely patching as detailed in the Zenitel security advisory.
Limits damage from successful command injection by enforcing least privilege on processes handling hostname changes.
Security SummaryAI
CVE-2025-64090 is a command injection vulnerability (CWE-77) that affects Zenitel devices. Published on 2026-01-09, it allows authenticated attackers to execute arbitrary commands by manipulating the hostname of the device. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and potential for high impact across confidentiality, integrity, and availability in a changed scope.
Authenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables command execution on the affected device, potentially leading to full compromise including data exfiltration, modification, or disruption of services.
Zenitel has published a security advisory detailing the issue at https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf, which security practitioners should consult for mitigation steps and available patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in network-accessible Zenitel device enables exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).