CVE-2025-64130
Published: 26 November 2025
Description
Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.
Mitigating Controls (NIST 800-53 r5)AI
Applying Zenitel's firmware updates directly remediates the reflected XSS flaw in the TCIV-3+ web interface.
Output filtering encodes reflected inputs to prevent arbitrary JavaScript execution in victims' browsers.
Input validation rejects or sanitizes malicious payloads before they are reflected in web responses.
Security SummaryAI
CVE-2025-64130 is a reflected cross-site scripting (XSS) vulnerability in the Zenitel TCIV-3+ intercom device. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges or user interaction to execute arbitrary JavaScript code in the victim's browser when the victim accesses the affected device.
CISA ICS Advisory ICSA-25-329-03, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 and in CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json, provides details on the vulnerability. Zenitel offers firmware updates via the Station and Device Firmware Package (VS-IS) on their wiki at https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing web interface of the Zenitel TCIV-3+ device directly enables remote exploitation of a public-facing application without privileges or user interaction.