Primary

Context

Zenitel TCIV-3+ OS Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in Zenitel TCIV-3+ intercom devices, all versions prior to 9.3.3.0. This vulnerability arises from inadequate input validation, allowing an unauthenticated attacker to execute arbitrary operating system commands remotely. The issue stems from the application accepting user-supplied parameters that are directly incorporated into OS commands without proper sanitization.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the affected system, potentially allowing for arbitrary code execution or causing a denial-of-service condition by crashing the device.

Remediation

Users are advised to upgrade to Zenitel TCIV-3+ Version 9.3.3.0 or later. For download information, visit the Zenitel Wiki.

Added: Nov 26, 2025, 6:20 PM

Updated: Nov 26, 2025, 6:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.1

threat

0.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.1

threat

0.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zenitel TCIV-3+ OS Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating