CISA Warns of Zenitel TCIV-3+ Maximum Severity Flaws

Threat summary

On November 25, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory detailing five vulnerabilities in Zenitel TCIV-3+ intercom versions prior to 9.3.3.0. 
The vulnerabilities include:

• Three operating system command injection flaws are due to insufficient validation of user-supplied input. They are tracked as CVE-2025-64126, CVE-2025-64127, and CVE-2025-64128. Each is rated with a Common Vulnerability Scoring System (CVSS) v4 score of 10.0. The flaws are easy to exploit and allow unauthenticated remote execution of malicious commands.
• One cross-site scripting (XSS) issue, tracked as CVE-2025-64130 is also rated critical, with CVSS v4 score of 9.3. It could allow a remote execution of malicious JavaScript on the victim’s browser. Successful exploitation of this vulnerability could lead to session hijacking, defacement, or the redirection of users to malicious websites.
• An out-of-bounds write, CVE-2025-64129, is rated with CVSS v4 7.0. It could cause device crashes and denial of service. The worst-case scenario is full compromise of intercom devices, enabling threat actors to pivot into broader operational networks.

At the time of publication, CISA stated there was no evidence of public proof-of-concept exploit code or active exploitation. The vendor released patched firmware version 9.3.3.0 in October, prior to the advisory publication. 

Analyst insight

The Zenitel TCIV-3+ is an Internet Protocol and Session Initiation Protocol video intercom designed for door entry, access control, and public-facing communications in commercial buildings, industrial sites, educational facilities, and healthcare environments. These devices support high-definition video, Real Time Streaming Protocol and Open Network Video Interface Forum streaming, and integrate with Zenitel management platforms and Session Initiation Protocol environments. The typical deployment profile places these intercoms on building perimeters, entrance points, and distributed facilities where they often have network paths from less-trusted segments. The combination of perimeter placement, critical access control functions, and pre-authentication remote code execution creates significant risk for organizations that have not applied patches.

Successful exploitation could result in complete device compromise, persistent backdoor installation, lateral movement into management networks, eavesdropping on communications, manipulation of access control systems, or denial of service to critical entry points.

Organizations are advised to inventory Zenitel TCIV-3+ deployments, confirm firmware upgraded to version 9.3.3.0 or later, and enforce segmentation. Monitoring for anomalous activity on these devices is recommended, as exploitation could provide attackers with a foothold into communications infrastructure.  

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics.

Field Effect MDR clients would receive an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance.

Field Effect MDR continuously monitors for vulnerabilities through advanced analytics, threat intelligence, and 24/7 visibility across endpoints, networks, and cloud environments. By correlating network traffic, endpoint behavior, and indicators of compromise, it detects and blocks exploit attempts - flagging anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up