CVE-2025-27025 is a high-severity vulnerability affecting the Infinera G42 device, specifically version 6.1.3. The vulnerability arises from improper handling of insufficient permissions or privileges (CWE-280) in a service exposed on a specific TCP port of the device. This service uses Basic Authentication to control access to an endpoint that accepts HTTP PUT and GET methods. The PUT method allows authenticated users to write files directly to the device's file system as the root user, while the GET method enables reading any file from the file system. Critically, the endpoint is vulnerable to a Directory Traversal attack, which means an attacker can manipulate the file path to write or read files outside the intended directories. This flaw enables an attacker with at least limited privileges (authentication required) to escalate their access and execute arbitrary file writes and reads with root privileges, potentially leading to full system compromise. The vulnerability has a CVSS 3.1 score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are reported in the wild yet, the ease of exploitation and the critical nature of the flaw make it a significant threat to organizations using the affected Infinera G42 devices.

For European organizations, the impact of this vulnerability is substantial, especially for those relying on Infinera G42 devices in their telecommunications infrastructure or critical network environments. Successful exploitation could lead to unauthorized disclosure of sensitive configuration files or credentials, modification or deletion of critical system files, and potentially full device takeover. This could disrupt network services, degrade availability, and compromise the integrity of network operations. Given that Infinera devices are often used in optical transport networks and critical communications infrastructure, exploitation could have cascading effects on service providers, enterprises, and government agencies. The ability to write files as root also raises the risk of persistent backdoors or malware installation, complicating incident response and recovery. The confidentiality breach could expose sensitive operational data, while integrity and availability impacts could lead to service outages affecting end-users and business continuity.

To mitigate this vulnerability, organizations should immediately verify if they are running Infinera G42 version 6.1.3 and restrict access to the vulnerable TCP port to trusted management networks only, using network segmentation and firewall rules. Implement strong authentication mechanisms beyond Basic Authentication, such as multi-factor authentication or certificate-based authentication, if supported by the device. Monitor and log all access to the affected endpoint to detect suspicious PUT or GET requests indicative of exploitation attempts. Since no official patch is currently available, coordinate with Infinera support for any interim firmware updates or recommended configuration changes. Additionally, conduct regular integrity checks on critical system files to detect unauthorized modifications. Employ intrusion detection systems (IDS) with signatures or heuristics targeting directory traversal and abnormal file operations on these devices. Finally, develop and test incident response plans specific to network infrastructure compromise scenarios involving Infinera devices.