Critical unaithenticated RCE flaws reported in Zenitel TCIV-3+ IP Video Intercom
Take action: Ensure all Zenitel TCIV-3+ intercom devices are isolated from the internet and only accessible from trusted internal networks. Immediately upgrade all units to firmware version 9.3.3.0 or later. Prioritize devices exposed to public perimeter.
Learn More
CISA reports multiple severe vulnerabilities affecting Zenitel's TCIV-3+ IP/SIP video intercom systems. The advisory identifies five vulnerabilities that could allow unauthenticated attackers to execute arbitrary commands remotely, crash devices, or execute malicious JavaScript on victims' browsers.
The TCIV-3+ is deployed in building perimeters, entrance points, and industrial facilities where the devices support HD video streaming, RTSP/ONVIF integration, and SIP environment connectivity.
Vulnerabilities summary:
- CVE-2025-64126 (CVSS score 10.0) - OS Command Injection vulnerability due to improper input validation that accepts parameters directly from user input without verification or filtering of malicious characters
- CVE-2025-64127 (CVSS score 10.0) - OS Command Injection vulnerability caused by insufficient sanitization of user-supplied input that is incorporated into OS commands without adequate validation
- CVE-2025-64128 (CVSS score 10.0) - OS Command Injection vulnerability resulting from incomplete validation of user input that fails to enforce sufficient formatting rules, permitting attackers to append arbitrary data
- CVE-2025-64129 (CVSS score 7.0) - Out-of-bounds Write vulnerability that could allow remote attackers to crash the device
- CVE-2025-64130 (CVSS score 9.3) - Reflected Cross-site Scripting vulnerability that could enable remote attackers to execute arbitrary JavaScript in victims' browsers
All versions of Zenitel TCIV-3+ prior to version 9.3.3.0 are affected. Successful exploitation of the three OS command injection flaws could result in complete device compromise, allowing attackers to steal data, install persistent backdoors, distribute malware across corporate networks, or pivot laterally into backend management systems.
The risks are compounded by the TCIV-3+'s typical deployment profile—these devices are often physically exposed on building exteriors and accessible from less-trusted networks, making them attractive targets for automated scanning and exploitation tools.
Zenitel strongly recommends all users immediately upgrade to version 9.3.3.0 or later to remediate these vulnerabilities. Organizations should verify firmware versions of all TCIV-3+ units in their inventory, prioritize upgrades for internet-facing or perimeter-deployed devices.
