CVE-2025-64127

Critical

Published: 26 November 2025

Published

26 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0832 92.3th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of user-supplied input parameters before incorporation into OS commands, addressing the core cause of this command injection vulnerability.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific OS command injection flaw through firmware updates as recommended in CISA ICSA-25-329-03.

SC-2 Separation of System and User Functionality good match

prevent

Enforces separation between user functionality and system functionality to prevent unsanitized user input from directly invoking arbitrary OS commands.

Security SummaryAI

CVE-2025-64127 is an OS command injection vulnerability (CWE-78) caused by insufficient sanitization of user-supplied input. The affected application accepts parameters that are later incorporated into OS commands without adequate validation. Published on 2025-11-26, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). References, including CISA ICS Advisory ICSA-25-329-03 and Zenitel's wiki page for the Station and Device Firmware Package (VS-IS), document the issue.

An unauthenticated attacker can exploit the vulnerability remotely by supplying malicious input through affected parameters. Successful exploitation enables arbitrary OS command execution, potentially granting full control over the impacted system.

Mitigation details are available in the referenced advisories, including CISA ICSA-25-329-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03), Zenitel's firmware downloads wiki (https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29), and the CSAF JSON file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json).

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection in public-facing firmware enables exploitation of public-facing application (T1190) and arbitrary command execution via Unix shell (T1059.004) on likely Linux-based ICS devices.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json
ics-cert@hq.dhs.gov
https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29
ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03
ics-cert@hq.dhs.gov