Reflected Cross-Site Scripting Vulnerability in Zenitel TCIV-3+ Product
CVE-2025-64130

9.3CRITICAL

Key Information:

Vendor: Zenitel
Status: Tciv-3+
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-64130?

The Zenitel TCIV-3+ is exposed to a reflected cross-site scripting vulnerability that allows remote attackers to inject and execute arbitrary JavaScript code within the victim’s web browser. This can potentially lead to unauthorized actions being performed on behalf of the user, data theft, or session hijacking if exploited effectively. Prompt updates and security measures are recommended to safeguard users from this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

TCIV-3+ 0 <= 9.3.3.0

References

https://wiki.zenitel.com/wiki/Downloads#Station_and_Devic...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Oct 27, 2025

Credit

Nir Tepper and Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

JSON

Zenitel

What is CVE-2025-64130?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.