CVE-2025-64127

moderate-risk
Published 2025-11-26

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

Do I need to act?

!
10.9% chance of exploitation in next 30 days
EPSS score — higher than 89% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

References (3)

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-32...
https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28V...
https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03
49
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 11/34 · Low
Exposure 5/34 · Minimal