VYPR
Vendor

Zenitel

Products
7
CVEs
15
Across products
17
Status
Private

Products

7

Recent CVEs

15
  • CVE-2025-64130CriNov 26, 2025
    risk 0.64cvss 9.8epss 0.01

    Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser.

  • CVE-2021-40845HigSep 15, 2021
    risk 0.58cvss 8.8epss 0.05

    The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd…

  • CVE-2025-59814HigSep 25, 2025
    risk 0.57cvss 8.8epss 0.00

    This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin database.

  • CVE-2025-59815HigSep 25, 2025
    risk 0.55cvss 8.4epss 0.00

    This vulnerability allows malicious actors to execute arbitrary commands on the underlying system of the Zenitel ICX500 and ICX510 Gateway, granting shell access. Exploitation can compromise the device’s availability, confidentiality, and integrity.

  • CVE-2025-64129HigNov 26, 2025
    risk 0.49cvss 7.6epss 0.00

    Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.

  • CVE-2025-59816HigSep 25, 2025
    risk 0.47cvss 7.3epss 0.00

    This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. User passwords are stored in plaintext, significantly increasing the severity of this issue.

  • CVE-2018-19926MedDec 6, 2018
    risk 0.40cvss 6.1epss 0.01

    Zenitel Norway IP-StationWeb before 4.2.3.9 allows reflected XSS via the goform/ PATH_INFO.

  • CVE-2024-57784MedJan 16, 2025
    risk 0.36cvss 5.5epss 0.01

    An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal.

  • CVE-2024-57785MedJan 16, 2025
    risk 0.32cvss 4.9epss 0.01

    Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php.

  • CVE-2018-19927MedDec 6, 2018
    risk 0.31cvss 4.8epss 0.01

    Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zForm_save_changes sip_nick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases.

  • CVE-2025-59818Feb 4, 2026
    risk 0.00cvss epss 0.00

    This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file.

  • CVE-2025-64093Jan 9, 2026
    risk 0.00cvss epss 0.01

    Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.

  • CVE-2025-64092Jan 9, 2026
    risk 0.00cvss epss 0.00

    This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.

  • CVE-2025-64091Jan 9, 2026
    risk 0.00cvss epss 0.00

    This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.

  • CVE-2025-64090Jan 9, 2026
    risk 0.00cvss epss 0.00

    This vulnerability allows authenticated attackers to execute commands via the hostname of the device.