Primary

Context

Zenitel TCIV-3+ OS Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in Zenitel TCIV-3+ intercom devices, all versions prior to 9.3.3.0. This vulnerability arises from inadequate validation of user input, allowing an unauthenticated attacker to inject arbitrary commands. The flaw enables exploitation by appending malicious data to parameters that are not properly sanitized before being executed as part of an operating system command.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the affected device, potentially allowing for arbitrary code execution or causing the device to crash, creating a denial-of-service condition.

Remediation

Users are advised to upgrade to Zenitel TCIV-3+ Version 9.3.3.0 or later. For download instructions, visit the Zenitel Wiki.

Added: Nov 26, 2025, 6:19 PM

Updated: Nov 26, 2025, 6:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.2

threat

0.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.2

threat

0.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zenitel TCIV-3+ OS Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating