CVE-2025-64091
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary operating system commands by manipulating NTP configuration settings on affected devices. It affects Zenitel devices with vulnerable firmware versions. Attackers with valid credentials can achieve remote code execution.
💻 Affected Systems
- Zenitel devices with vulnerable firmware
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise leading to lateral movement, data exfiltration, or deployment of persistent malware across the network.
Likely Case
Unauthorized command execution allowing privilege escalation, configuration changes, or installation of backdoors on vulnerable devices.
If Mitigated
Limited impact if strong authentication controls, network segmentation, and proper monitoring are in place.
🎯 Exploit Status
Exploitation requires authenticated access but command injection is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Zenitel security advisory for specific patched versions
Vendor Advisory: https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf
Restart Required: Yes
Instructions:
1. Review Zenitel security advisory. 2. Download appropriate firmware update. 3. Backup device configuration. 4. Apply firmware update following vendor instructions. 5. Verify update success and functionality.
🔧 Temporary Workarounds
Restrict NTP Configuration Access
allLimit access to NTP configuration interface to trusted administrators only
Network Segmentation
allIsolate affected devices in separate network segments with strict firewall rules
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for device management interfaces
- Monitor NTP configuration changes and command execution attempts in device logs
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against Zenitel security advisory and test if authenticated users can inject commands via NTP configuration fieldsCheck Version:
Device-specific command - consult device documentation or web interfaceVerify Fix Applied:
Verify firmware version matches patched version from advisory and test that command injection via NTP configuration is no longer possible📡 Detection & Monitoring
Log Indicators:
- Unusual NTP configuration changes
- Unexpected command execution events
- Multiple failed authentication attempts followed by NTP configuration changes
Network Indicators:
- Unusual outbound connections from device following NTP configuration changes
- Traffic to unexpected destinations
SIEM Query:
source="device_logs" AND (event="ntp_config_change" OR event="command_execution") AND user!="authorized_admin"