CVE-2025-64093
Published: 09 January 2026
Description
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Mitigating Controls (NIST 800-53 r5)AI
Directly implements input validation on the hostname field to block arbitrary command injection by unauthenticated attackers.
Restricts hostname modifications and related functions to only authorized users, preventing unauthenticated access exploitation.
Mandates timely patching of the specific command injection flaw in Zenitel devices as per the vendor advisory.
Security SummaryAI
CVE-2025-64093 is a remote code execution vulnerability stemming from command injection (CWE-77) in Zenitel devices. It enables unauthenticated attackers to inject arbitrary commands into the device's hostname. The vulnerability carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impact across confidentiality, integrity, and availability with a changed scope.
Unauthenticated attackers with network access to affected Zenitel devices can exploit this vulnerability remotely. By injecting malicious commands into the hostname field, they achieve remote code execution, potentially compromising the entire device and enabling full control over its operations.
Zenitel has published a security advisory detailing mitigations and patches at https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf. Security practitioners should consult this document for specific remediation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-64093 enables unauthenticated remote code execution through command injection in the hostname field of public-facing Zenitel devices, directly facilitating T1190: Exploit Public-Facing Application.