Zenitel TCIV-3+

Act Now9.8ICS-CERT ICSA-25-329-03Nov 25, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Zenitel TCIV-3+ devices with firmware versions prior to 9.3.3.0 are vulnerable to arbitrary code execution and denial-of-service attacks via three distinct vulnerabilities: OS command injection (CWE-78), buffer overflow (CWE-787), and cross-site scripting (CWE-79). These vulnerabilities can be exploited remotely without authentication. Successful exploitation could result in arbitrary code execution allowing an attacker to intercept communications, modify system behavior, or disable the intercom/video system.

What this means

What could happen

An attacker could execute arbitrary code on the TCIV-3+ intercom or video system, potentially allowing them to intercept calls/video, modify system behavior, or disable emergency communications at your facility.

Who's at risk

Zenitel TCIV-3+ intercom and video communication systems used in buildings, campuses, water utilities, and electric utilities for emergency communications and visitor management. Any facility using TCIV-3+ for critical communications should prioritize securing these devices.

How it could be exploited

An attacker on the network could send specially crafted input to the TCIV-3+ that triggers command injection (CWE-78), buffer overflow (CWE-787), or cross-site scripting (CWE-79) vulnerabilities. No authentication is required, and the attack can be initiated remotely from any network segment that can reach the device.

Prerequisites

Network access to the TCIV-3+ device
Device running firmware version prior to 9.3.3.0
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects safety/emergency systemsEPSS score 9.8%

Exploitability

Moderate exploit probability (EPSS 9.8%)

Affected products (1)

ProductAffected VersionsFix Status

TCIV-3+: <9.3.3.0<9.3.3.09.3.3.0

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to TCIV-3+ by placing it behind a firewall and isolating it from the business network; allow only authorized devices to communicate with it

WORKAROUNDIf remote access to TCIV-3+ is required, use a VPN with encryption and access controls instead of exposing the device directly to untrusted networks

HARDENINGEnsure TCIV-3+ is not accessible from the internet or from untrusted network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade TCIV-3+ firmware to version 9.3.3.0 or later

CVEs (5)

CVE-2025-64126 CVE-2025-64127 CVE-2025-64128 CVE-2025-64129 CVE-2025-64130

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e887982a-bc06-48cf-9216-7dd4b5b1b0ab