CVE-2024-25659 identifies a directory traversal vulnerability in the internal SFTP server component of Infinera's Transcend Network Management System (TNMS) version 19.10.3 running on Linux. The root cause is an insecure default configuration that fails to properly restrict SFTP users to their designated home directories, allowing remote attackers with high-level privileges to access files and directories outside their authorized scope. This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v3.1 base score is 7.2, indicating high severity, with attack vector as network, low attack complexity, requiring privileges at a high level, no user interaction, and impacting confidentiality, integrity, and availability. The flaw could allow attackers to read, modify, or delete critical system or application files, potentially compromising the network management system's operation and exposing sensitive network configuration data. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to organizations relying on Infinera TNMS for managing telecommunications infrastructure. The issue highlights the importance of secure default configurations, especially for internal services like SFTP that handle sensitive data transfers.

The vulnerability could lead to unauthorized disclosure of sensitive network management files, modification or deletion of critical configuration data, and potential disruption of network management operations. This can compromise the confidentiality, integrity, and availability of the network management system, potentially cascading to broader network outages or security breaches. Organizations worldwide that use Infinera TNMS for managing telecommunications networks could face operational disruptions, data breaches, and increased risk of further exploitation if attackers leverage this vulnerability to escalate privileges or move laterally within the network. The impact is especially critical for telecom providers and enterprises relying on TNMS for network stability and security. Given the high privileges required, the threat is more relevant to insider threats or attackers who have already gained elevated access, but the network-exposed nature of the SFTP service increases the attack surface.

Organizations should immediately audit and harden the SFTP server configuration within Infinera TNMS to ensure strict chroot or equivalent directory restrictions are enforced, preventing users from escaping their home directories. Implement access controls limiting SFTP usage to only necessary accounts with minimal privileges. Monitor SFTP logs for unusual access patterns or attempts to access unauthorized directories. Network segmentation should isolate management systems to reduce exposure. Employ multi-factor authentication and strong credential management for accounts with high privileges. Until an official patch is released, consider disabling the internal SFTP server if feasible or replacing it with a securely configured external SFTP solution. Regularly update and patch TNMS software once vendor fixes become available. Conduct penetration testing focused on directory traversal and privilege escalation scenarios within the management environment.