CVE-2024-31970 is a high-severity vulnerability identified in AdTran SRG 834-5 devices running SmartOS 11.1.1.1. The issue arises because SSH is enabled by default and accessible over both LAN and potentially the Internet during the device setup phase. During this window, the device uses a default username and password combination (admin/admin) that grants root-level privileges. An attacker who can access the device during this setup period can exploit these default credentials to gain unauthorized root access. This access allows the attacker to modify the existing admin account or create new accounts with equivalent privileges, enabling arbitrary command execution on the device. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating improper access control. The vendor, AdTran, disputes the vulnerability’s applicability, asserting that SSH has never been accessible from the WAN on official SmartOS builds and that the vulnerable test build was never released to end users. The CVSS v3.1 score of 7.2 reflects a network attack vector with low attack complexity, requiring high privileges but no user interaction, and resulting in high confidentiality, integrity, and availability impacts. No public exploits have been reported, and no patch links are currently provided. The vulnerability primarily affects devices running the specified SmartOS version, with a fixed version identified as 12.1.3.1.

If exploited, this vulnerability allows attackers to gain root-level access to affected AdTran SRG 834-5 devices during the setup window, potentially leading to full compromise of the device. This includes the ability to execute arbitrary commands, modify configurations, create or alter user accounts, and disrupt device operations. Such control can lead to interception or manipulation of network traffic, disruption of network services, and potential lateral movement within the affected organization's network. The impact on confidentiality, integrity, and availability is high, as attackers can fully control the device. Although the vendor disputes the vulnerability’s applicability and claims limited exposure, organizations using affected versions may face significant risks if devices are deployed without proper safeguards. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially in targeted attacks or insider threat scenarios.

Organizations should verify the firmware version of their AdTran SRG 834-5 devices and ensure they are running SmartOS version 12.1.3.1 or later, where this vulnerability is fixed. During device setup, restrict SSH access to trusted management networks only, ideally disabling WAN access entirely until the device is fully configured. Change default credentials immediately upon initial access and enforce strong password policies. Implement network segmentation to isolate management interfaces from general user networks and the Internet. Monitor device logs for unauthorized access attempts during the setup phase. If possible, disable SSH during setup or use out-of-band management methods to reduce exposure. Maintain an inventory of affected devices and apply vendor advisories promptly. Engage with AdTran support to confirm device configurations and receive updates on official patches or mitigations.