Skip to main content

CVE-2025-27023: CWE-20 Improper Input Validation in Infinera G42

Medium
VulnerabilityCVE-2025-27023cvecve-2025-27023cwe-20
Published: Wed Jul 02 2025 (07/02/2025, 09:07:06 UTC)
Source: CVE Database V5
Vendor/Project: Infinera
Product: G42

Description

Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.

AI-Powered Analysis

AILast updated: 07/02/2025, 09:39:30 UTC

Technical Analysis

CVE-2025-27023 is a medium-severity vulnerability affecting the Infinera G42 optical transport appliance, specifically version R6.1.3. The vulnerability arises from improper input validation (CWE-20) in the WebGUI CLI web interface, which is used for device management. The web interface allows remote authenticated users to execute a restricted set of commands and also to execute script files present on the device. However, when a user specifies a non-script or incorrect file, the system erroneously displays the content of that file along with an error message. This behavior is due to the HTTP service running with privileged user permissions, which inadvertently allows authenticated users to read any file on the underlying operating system. The vulnerability does not allow modification or deletion of files, nor does it require user interaction beyond authentication. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient input validation in the web interface's command execution feature, which fails to restrict file access properly, exposing sensitive system files to authenticated users.

Potential Impact

For European organizations using the Infinera G42 appliance version 6.1.3, this vulnerability poses a significant confidentiality risk. Attackers with valid credentials can remotely access sensitive OS files, potentially exposing configuration files, credentials, logs, or other sensitive data that could facilitate further attacks or espionage. Given that Infinera G42 devices are used in optical transport networks, which form critical infrastructure for telecommunications and data transmission, unauthorized disclosure of system files could lead to information leakage about network topology, security configurations, or operational details. This could enable adversaries to plan targeted attacks or disrupt services indirectly. Although the vulnerability does not allow direct modification or denial of service, the confidentiality breach alone can have severe consequences, especially for telecom operators, ISPs, and enterprises relying on these devices for secure communications. The requirement for authentication limits exposure to insiders or attackers who have compromised credentials, but the privileged nature of the HTTP service amplifies the risk once access is gained.

Mitigation Recommendations

Organizations should immediately audit their Infinera G42 appliances to identify devices running version 6.1.3 and restrict access to the WebGUI CLI interface to trusted administrators only, ideally via secure management networks or VPNs. Strong authentication mechanisms, including multi-factor authentication (MFA), should be enforced to reduce the risk of credential compromise. Monitoring and logging of all WebGUI CLI access should be enabled to detect suspicious activities. Since no official patch is currently linked, organizations should engage with Infinera support to obtain updates or workarounds. As a temporary mitigation, administrators should avoid executing or referencing non-script files via the CLI web interface to prevent accidental disclosure. Network segmentation and strict firewall rules should limit access to management interfaces. Additionally, organizations should consider implementing file integrity monitoring on these devices to detect unauthorized file access or exfiltration attempts. Regular security assessments and penetration testing focusing on management interfaces can help identify similar weaknesses.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
ENISA
Date Reserved
2025-02-18T06:59:55.889Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6864fad36f40f0eb72923030

Added to database: 7/2/2025, 9:24:35 AM

Last enriched: 7/2/2025, 9:39:30 AM

Last updated: 7/3/2025, 2:53:57 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats