A critical vulnerability, identified as CVE-2025-59814 with a CVSS score of 9.8, has been discovered in multiple Zenitel products, including the ICX500 and ICX510 Gateways. This flaw allows an unauthenticated remote attacker to gain complete access to the Billing Admin endpoint, potentially leading to a severe data breach of sensitive financial and administrative information. Organizations are urged to apply the vendor-supplied patches immediately to mitigate the significant risk of data exposure and system compromise.

This vulnerability is an improper access control flaw on the Billing Admin endpoint of affected Zenitel gateways. A critical authentication check is missing, allowing any remote, unauthenticated attacker to directly access this administrative interface. By sending a specially crafted request to the specific endpoint URL, an attacker can bypass all security mechanisms and gain the ability to read the entire contents of the Billing Admin database, which may contain sensitive customer information, billing records, transaction history, and potentially administrative credentials.

The exploitation of this vulnerability carries a critical severity rating with a CVSS score of 9.8. A successful attack would result in a complete loss of confidentiality for all data managed by the Billing Admin system. The business impact includes the high probability of a major data breach, leading to significant financial losses from fraud, severe reputational damage, and potential regulatory fines under data protection laws like GDPR. The exposure of administrative data could also serve as a pivot point for attackers to compromise other systems within the network.

Immediate Action: Immediately update affected Zenitel ICX500 and ICX510 Gateway products to the latest version as recommended by the vendor. After patching, verify that the update was successful and the vulnerability is no longer present. It is also critical to monitor for any signs of exploitation attempts that may have occurred prior to patching by reviewing historical access logs.

Proactive Monitoring: Implement enhanced monitoring of the affected devices. Security teams should inspect web server and application logs for any direct, unauthenticated requests to the Billing Admin endpoint URL. Configure alerts for unusual access patterns or large data transfers originating from the gateway, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to restrict all external access to the device's management interface. Use a firewall or Web Application Firewall (WAF) to create a specific deny rule for the vulnerable Billing Admin URL path, allowing access only from a small set of trusted internal IP addresses.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend that organizations treat its remediation as their highest security priority. The risk of a complete data breach from the billing system is imminent. All system administrators should immediately apply the vendor-provided patches to all affected Zenitel devices. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact and ease of exploitation make it a prime candidate for future inclusion and a valuable target for a wide range of threat actors.