CVE-2025-27023: CWE-20 Improper Input Validation in Infinera G42
Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.
AI Analysis
Technical Summary
CVE-2025-27023 is a medium-severity vulnerability affecting the Infinera G42 optical transport appliance, specifically version R6.1.3. The vulnerability arises from improper input validation (CWE-20) in the WebGUI CLI web interface, which is used for device management. The web interface allows remote authenticated users to execute a restricted set of commands and also to execute script files present on the device. However, when a user specifies a non-script or incorrect file, the system erroneously displays the content of that file along with an error message. This behavior is due to the HTTP service running with privileged user permissions, which inadvertently allows authenticated users to read any file on the underlying operating system. The vulnerability does not allow modification or deletion of files, nor does it require user interaction beyond authentication. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient input validation in the web interface's command execution feature, which fails to restrict file access properly, exposing sensitive system files to authenticated users.
Potential Impact
For European organizations using the Infinera G42 appliance version 6.1.3, this vulnerability poses a significant confidentiality risk. Attackers with valid credentials can remotely access sensitive OS files, potentially exposing configuration files, credentials, logs, or other sensitive data that could facilitate further attacks or espionage. Given that Infinera G42 devices are used in optical transport networks, which form critical infrastructure for telecommunications and data transmission, unauthorized disclosure of system files could lead to information leakage about network topology, security configurations, or operational details. This could enable adversaries to plan targeted attacks or disrupt services indirectly. Although the vulnerability does not allow direct modification or denial of service, the confidentiality breach alone can have severe consequences, especially for telecom operators, ISPs, and enterprises relying on these devices for secure communications. The requirement for authentication limits exposure to insiders or attackers who have compromised credentials, but the privileged nature of the HTTP service amplifies the risk once access is gained.
Mitigation Recommendations
Organizations should immediately audit their Infinera G42 appliances to identify devices running version 6.1.3 and restrict access to the WebGUI CLI interface to trusted administrators only, ideally via secure management networks or VPNs. Strong authentication mechanisms, including multi-factor authentication (MFA), should be enforced to reduce the risk of credential compromise. Monitoring and logging of all WebGUI CLI access should be enabled to detect suspicious activities. Since no official patch is currently linked, organizations should engage with Infinera support to obtain updates or workarounds. As a temporary mitigation, administrators should avoid executing or referencing non-script files via the CLI web interface to prevent accidental disclosure. Network segmentation and strict firewall rules should limit access to management interfaces. Additionally, organizations should consider implementing file integrity monitoring on these devices to detect unauthorized file access or exfiltration attempts. Regular security assessments and penetration testing focusing on management interfaces can help identify similar weaknesses.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Finland
CVE-2025-27023: CWE-20 Improper Input Validation in Infinera G42
Description
Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.
AI-Powered Analysis
Technical Analysis
CVE-2025-27023 is a medium-severity vulnerability affecting the Infinera G42 optical transport appliance, specifically version R6.1.3. The vulnerability arises from improper input validation (CWE-20) in the WebGUI CLI web interface, which is used for device management. The web interface allows remote authenticated users to execute a restricted set of commands and also to execute script files present on the device. However, when a user specifies a non-script or incorrect file, the system erroneously displays the content of that file along with an error message. This behavior is due to the HTTP service running with privileged user permissions, which inadvertently allows authenticated users to read any file on the underlying operating system. The vulnerability does not allow modification or deletion of files, nor does it require user interaction beyond authentication. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient input validation in the web interface's command execution feature, which fails to restrict file access properly, exposing sensitive system files to authenticated users.
Potential Impact
For European organizations using the Infinera G42 appliance version 6.1.3, this vulnerability poses a significant confidentiality risk. Attackers with valid credentials can remotely access sensitive OS files, potentially exposing configuration files, credentials, logs, or other sensitive data that could facilitate further attacks or espionage. Given that Infinera G42 devices are used in optical transport networks, which form critical infrastructure for telecommunications and data transmission, unauthorized disclosure of system files could lead to information leakage about network topology, security configurations, or operational details. This could enable adversaries to plan targeted attacks or disrupt services indirectly. Although the vulnerability does not allow direct modification or denial of service, the confidentiality breach alone can have severe consequences, especially for telecom operators, ISPs, and enterprises relying on these devices for secure communications. The requirement for authentication limits exposure to insiders or attackers who have compromised credentials, but the privileged nature of the HTTP service amplifies the risk once access is gained.
Mitigation Recommendations
Organizations should immediately audit their Infinera G42 appliances to identify devices running version 6.1.3 and restrict access to the WebGUI CLI interface to trusted administrators only, ideally via secure management networks or VPNs. Strong authentication mechanisms, including multi-factor authentication (MFA), should be enforced to reduce the risk of credential compromise. Monitoring and logging of all WebGUI CLI access should be enabled to detect suspicious activities. Since no official patch is currently linked, organizations should engage with Infinera support to obtain updates or workarounds. As a temporary mitigation, administrators should avoid executing or referencing non-script files via the CLI web interface to prevent accidental disclosure. Network segmentation and strict firewall rules should limit access to management interfaces. Additionally, organizations should consider implementing file integrity monitoring on these devices to detect unauthorized file access or exfiltration attempts. Regular security assessments and penetration testing focusing on management interfaces can help identify similar weaknesses.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- ENISA
- Date Reserved
- 2025-02-18T06:59:55.889Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6864fad36f40f0eb72923030
Added to database: 7/2/2025, 9:24:35 AM
Last enriched: 7/2/2025, 9:39:30 AM
Last updated: 7/3/2025, 2:53:57 PM
Views: 10
Related Threats
CVE-2025-7053: Cross Site Scripting in Cockpit
MediumCVE-2025-7046: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dotrex Portfolio for Elementor & Image Gallery | PowerFolio
MediumCVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
HighCVE-2025-6787: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ibachal Smart Docs
MediumCVE-2025-6786: CWE-284 Improper Access Control in antwerpes DocCheck Login
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.