CVE-2025-64128 | HackTesting

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.

Credits

Nir Tepper and Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

References

https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29

https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json