Search
Find a vulnerability
Search criteria
10 vulnerabilities found for icx500 by zenitel
CVE-2025-64093 (GCVE-0-2025-64093)
Vulnerability from nvd – Published: 2026-01-09 10:04 – Updated: 2026-01-09 17:58
VLAI
EPSS
VEX
Title
Unauthenticated Remote Code Execution via the device hostname
Summary
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zenitel.com/sites/default/files/2025-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:58:14.991695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:58:19.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 10,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 10,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T10:04:58.207Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
}
],
"title": "Unauthenticated Remote Code Execution via the device hostname",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-64093",
"datePublished": "2026-01-09T10:04:58.207Z",
"dateReserved": "2025-10-27T09:43:10.201Z",
"dateUpdated": "2026-01-09T17:58:19.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64092 (GCVE-0-2025-64092)
Vulnerability from nvd – Published: 2026-01-09 10:03 – Updated: 2026-01-09 17:59
VLAI
EPSS
VEX
Title
Unauthenticated SQL injection via GET request parameters
Summary
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zenitel.com/sites/default/files/2025-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:59:10.636452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:59:17.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T10:03:49.853Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
}
],
"title": "Unauthenticated SQL injection via GET request parameters",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-64092",
"datePublished": "2026-01-09T10:03:49.853Z",
"dateReserved": "2025-10-27T09:43:10.201Z",
"dateUpdated": "2026-01-09T17:59:17.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59816 (GCVE-0-2025-59816)
Vulnerability from nvd – Published: 2025-09-25 19:30 – Updated: 2025-09-26 15:42
VLAI
EPSS
VEX
Title
Authenticated Union based SQL-injection in the search input field
Summary
This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T15:42:26.536306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T15:42:38.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.3,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:47:09.538Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Authenticated Union based SQL-injection in the search input field"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59816",
"datePublished": "2025-09-25T19:30:03.608Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-26T15:42:38.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59815 (GCVE-0-2025-59815)
Vulnerability from nvd – Published: 2025-09-25 19:29 – Updated: 2025-09-29 17:15
VLAI
EPSS
VEX
Title
Authenticated Remote Code Execution in the Billing Administration portal
Summary
This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device’s availability, confidentiality, and integrity.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T17:14:00.473701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:15:41.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device\u2019s availability, confidentiality, and integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.5,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "HIGH",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.4,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:46:48.773Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Authenticated Remote Code Execution in the Billing Administration portal"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59815",
"datePublished": "2025-09-25T19:29:50.228Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-29T17:15:41.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59814 (GCVE-0-2025-59814)
Vulnerability from nvd – Published: 2025-09-25 19:29 – Updated: 2025-09-29 17:25
VLAI
EPSS
VEX
Title
Unauthenticated SQL-injection in password field
Summary
This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T17:25:21.899215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:25:33.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:46:25.019Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Unauthenticated SQL-injection in password field"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59814",
"datePublished": "2025-09-25T19:29:34.809Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-29T17:25:33.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64093 (GCVE-0-2025-64093)
Vulnerability from cvelistv5 – Published: 2026-01-09 10:04 – Updated: 2026-01-09 17:58
VLAI
EPSS
VEX
Title
Unauthenticated Remote Code Execution via the device hostname
Summary
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zenitel.com/sites/default/files/2025-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:58:14.991695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:58:19.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 10,
"environmentalSeverity": "CRITICAL",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 10,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T10:04:58.207Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
}
],
"title": "Unauthenticated Remote Code Execution via the device hostname",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-64093",
"datePublished": "2026-01-09T10:04:58.207Z",
"dateReserved": "2025-10-27T09:43:10.201Z",
"dateUpdated": "2026-01-09T17:58:19.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64092 (GCVE-0-2025-64092)
Vulnerability from cvelistv5 – Published: 2026-01-09 10:03 – Updated: 2026-01-09 17:59
VLAI
EPSS
VEX
Title
Unauthenticated SQL injection via GET request parameters
Summary
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zenitel.com/sites/default/files/2025-… | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:59:10.636452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:59:17.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T10:03:49.853Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
}
],
"title": "Unauthenticated SQL injection via GET request parameters",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-64092",
"datePublished": "2026-01-09T10:03:49.853Z",
"dateReserved": "2025-10-27T09:43:10.201Z",
"dateUpdated": "2026-01-09T17:59:17.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59816 (GCVE-0-2025-59816)
Vulnerability from cvelistv5 – Published: 2025-09-25 19:30 – Updated: 2025-09-26 15:42
VLAI
EPSS
VEX
Title
Authenticated Union based SQL-injection in the search input field
Summary
This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T15:42:26.536306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T15:42:38.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.3,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.3,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:47:09.538Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Authenticated Union based SQL-injection in the search input field"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59816",
"datePublished": "2025-09-25T19:30:03.608Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-26T15:42:38.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59815 (GCVE-0-2025-59815)
Vulnerability from cvelistv5 – Published: 2025-09-25 19:29 – Updated: 2025-09-29 17:15
VLAI
EPSS
VEX
Title
Authenticated Remote Code Execution in the Billing Administration portal
Summary
This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device’s availability, confidentiality, and integrity.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T17:14:00.473701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:15:41.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device\u2019s availability, confidentiality, and integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.5,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "HIGH",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.4,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:46:48.773Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Authenticated Remote Code Execution in the Billing Administration portal"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59815",
"datePublished": "2025-09-25T19:29:50.228Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-29T17:15:41.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59814 (GCVE-0-2025-59814)
Vulnerability from cvelistv5 – Published: 2025-09-25 19:29 – Updated: 2025-09-29 17:25
VLAI
EPSS
VEX
Title
Unauthenticated SQL-injection in password field
Summary
This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Relea… | release-notes |
| https://wiki.zenitel.com/wiki/Downloads#ICX-Alpha… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T17:25:21.899215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T17:25:33.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ICX500",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICX510",
"vendor": "Zenitel",
"versions": [
{
"status": "affected",
"version": "\u003c1.4.3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "ADJACENT_NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T05:46:25.019Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "Zenitel",
"tags": [
"release-notes"
],
"url": "https://wiki.zenitel.com/wiki/ICX_1.4.3.X_-_Release_Notes"
},
{
"name": "Zenitel",
"tags": [
"patch"
],
"url": "https://wiki.zenitel.com/wiki/Downloads#ICX-AlphaCom_System"
}
],
"title": "Unauthenticated SQL-injection in password field"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2025-59814",
"datePublished": "2025-09-25T19:29:34.809Z",
"dateReserved": "2025-09-22T10:23:28.574Z",
"dateUpdated": "2025-09-29T17:25:33.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}