Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for icx500_firmware by zenitel

    CVE-2025-64093 (GCVE-0-2025-64093)

    Vulnerability from nvd – Published: 2026-01-09 10:04 – Updated: 2026-01-09 17:58
    VLAI
    Title
    Unauthenticated Remote Code Execution via the device hostname
    Summary
    Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zenitel ICX500 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Zenitel ICX510 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T17:58:14.991695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-77",
                    "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T17:58:19.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ICX500",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "ICX510",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 10,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "HIGH",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 10,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-09T10:04:58.207Z",
            "orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
            "shortName": "NCSC-NL"
          },
          "references": [
            {
              "name": "Zenitel Security Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
            }
          ],
          "title": "Unauthenticated Remote Code Execution via the device hostname",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
        "assignerShortName": "NCSC-NL",
        "cveId": "CVE-2025-64093",
        "datePublished": "2026-01-09T10:04:58.207Z",
        "dateReserved": "2025-10-27T09:43:10.201Z",
        "dateUpdated": "2026-01-09T17:58:19.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64092 (GCVE-0-2025-64092)

    Vulnerability from nvd – Published: 2026-01-09 10:03 – Updated: 2026-01-09 17:59
    VLAI
    Title
    Unauthenticated SQL injection via GET request parameters
    Summary
    This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zenitel ICX500 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Zenitel ICX510 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64092",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T17:59:10.636452Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T17:59:17.924Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ICX500",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "ICX510",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 7.5,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "NONE",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "NONE",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "UNCHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 7.5,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-09T10:03:49.853Z",
            "orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
            "shortName": "NCSC-NL"
          },
          "references": [
            {
              "name": "Zenitel Security Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
            }
          ],
          "title": "Unauthenticated SQL injection via GET request parameters",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
        "assignerShortName": "NCSC-NL",
        "cveId": "CVE-2025-64092",
        "datePublished": "2026-01-09T10:03:49.853Z",
        "dateReserved": "2025-10-27T09:43:10.201Z",
        "dateUpdated": "2026-01-09T17:59:17.924Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64093 (GCVE-0-2025-64093)

    Vulnerability from cvelistv5 – Published: 2026-01-09 10:04 – Updated: 2026-01-09 17:58
    VLAI
    Title
    Unauthenticated Remote Code Execution via the device hostname
    Summary
    Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zenitel ICX500 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Zenitel ICX510 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T17:58:14.991695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-77",
                    "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T17:58:19.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ICX500",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "ICX510",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 10,
                "environmentalSeverity": "CRITICAL",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "HIGH",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "HIGH",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "HIGH",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "CHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 10,
                "temporalSeverity": "CRITICAL",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-09T10:04:58.207Z",
            "orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
            "shortName": "NCSC-NL"
          },
          "references": [
            {
              "name": "Zenitel Security Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
            }
          ],
          "title": "Unauthenticated Remote Code Execution via the device hostname",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
        "assignerShortName": "NCSC-NL",
        "cveId": "CVE-2025-64093",
        "datePublished": "2026-01-09T10:04:58.207Z",
        "dateReserved": "2025-10-27T09:43:10.201Z",
        "dateUpdated": "2026-01-09T17:58:19.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64092 (GCVE-0-2025-64092)

    Vulnerability from cvelistv5 – Published: 2026-01-09 10:03 – Updated: 2026-01-09 17:59
    VLAI
    Title
    Unauthenticated SQL injection via GET request parameters
    Summary
    This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zenitel ICX500 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Zenitel ICX510 Affected: <1.4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64092",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T17:59:10.636452Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T17:59:17.924Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ICX500",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "ICX510",
              "vendor": "Zenitel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c1.4.3.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "availabilityRequirement": "NOT_DEFINED",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "confidentialityRequirement": "NOT_DEFINED",
                "environmentalScore": 7.5,
                "environmentalSeverity": "HIGH",
                "exploitCodeMaturity": "NOT_DEFINED",
                "integrityImpact": "NONE",
                "integrityRequirement": "NOT_DEFINED",
                "modifiedAttackComplexity": "LOW",
                "modifiedAttackVector": "NETWORK",
                "modifiedAvailabilityImpact": "NONE",
                "modifiedConfidentialityImpact": "HIGH",
                "modifiedIntegrityImpact": "NONE",
                "modifiedPrivilegesRequired": "NONE",
                "modifiedScope": "UNCHANGED",
                "modifiedUserInteraction": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 7.5,
                "temporalSeverity": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-09T10:03:49.853Z",
            "orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
            "shortName": "NCSC-NL"
          },
          "references": [
            {
              "name": "Zenitel Security Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf"
            }
          ],
          "title": "Unauthenticated SQL injection via GET request parameters",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
        "assignerShortName": "NCSC-NL",
        "cveId": "CVE-2025-64092",
        "datePublished": "2026-01-09T10:03:49.853Z",
        "dateReserved": "2025-10-27T09:43:10.201Z",
        "dateUpdated": "2026-01-09T17:59:17.924Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }