Skip to main content

CVE-2025-27026: CWE-1220: Insufficient Granularity of Access Control in Infinera G42

Medium
VulnerabilityCVE-2025-27026cvecve-2025-27026cwe-1220
Published: Wed Jul 02 2025 (07/02/2025, 13:42:42 UTC)
Source: CVE Database V5
Vendor/Project: Infinera
Product: G42

Description

A missing double-check feature in the WebGUI for CLI deactivation in Infinera G42 version R6.1.3 allows an authenticated administrator to make other management interfaces unavailable via local and network interfaces. The CLI deactivation via the WebGUI does not only stop CLI interface but deactivates also Linux Shell, WebGUI and Physical Serial Console access. No confirmation is asked at deactivation time. Loosing access to these services device administrators are at risk of completely loosing device control.

AI-Powered Analysis

AILast updated: 07/02/2025, 14:11:26 UTC

Technical Analysis

CVE-2025-27026 is a medium-severity vulnerability affecting Infinera G42 optical transport devices running version 6.1.3. The issue stems from insufficient granularity in access control within the device's WebGUI management interface. Specifically, an authenticated administrator can deactivate the Command Line Interface (CLI) via the WebGUI without any confirmation prompt. However, this deactivation is overly broad: it not only disables the CLI but also disables access to the Linux Shell, the WebGUI itself, and the physical serial console. This lack of a double-check or confirmation mechanism means that an administrator could inadvertently or maliciously lock themselves and others out of all management interfaces on the device. Since these devices are critical network infrastructure components, losing all management access effectively results in a denial of administrative control, potentially requiring physical intervention or device replacement to regain control. The vulnerability requires authenticated administrator privileges to exploit, does not require user interaction beyond the initial action, and can be triggered remotely over the network interface. The CVSS v3.1 base score is 4.9, reflecting a medium severity rating primarily due to the impact on availability (complete loss of management access) but no direct impact on confidentiality or integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying weakness is categorized under CWE-1220, which relates to insufficient granularity of access control, highlighting that the device's management interface does not properly restrict or confirm critical administrative actions, leading to potential self-lockout scenarios.

Potential Impact

For European organizations, particularly those operating critical telecommunications infrastructure or large-scale optical transport networks, this vulnerability poses a significant operational risk. Infinera G42 devices are often deployed in backbone networks, data centers, and service provider environments. If an administrator accidentally or maliciously disables all management interfaces, it could lead to prolonged outages or degraded network performance due to the inability to perform remote troubleshooting, configuration changes, or emergency interventions. This loss of availability could disrupt essential services, including internet connectivity, cloud services, and enterprise communications, impacting businesses and end-users. Recovery may require on-site physical access, which can be time-consuming and costly, especially for geographically dispersed or remote installations. Additionally, the lack of a confirmation step increases the risk of human error, which is a common cause of network incidents. While confidentiality and integrity are not directly impacted, the operational disruption and potential service downtime could have cascading effects on dependent systems and services across European networks.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Restrict administrative access to the Infinera G42 WebGUI to trusted personnel only, using strong authentication mechanisms and network segmentation to limit exposure. 2) Establish strict operational procedures and change management controls that require peer review or dual authorization before performing critical actions such as CLI deactivation. 3) Train administrators about the risk of this vulnerability and the importance of avoiding the CLI deactivation function unless absolutely necessary. 4) Where possible, maintain out-of-band management channels or redundant access paths (e.g., separate console servers or secure serial connections) to regain control if the primary interfaces are disabled. 5) Monitor device logs and management activity for unusual or unauthorized attempts to disable interfaces. 6) Engage with Infinera support to obtain patches or firmware updates addressing this issue as soon as they become available, and plan timely deployment. 7) Consider implementing automated backup and recovery procedures for device configurations to facilitate rapid restoration in case of lockout. These steps go beyond generic advice by focusing on operational controls, administrative discipline, and infrastructure redundancy tailored to the specific nature of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
ENISA
Date Reserved
2025-02-18T06:59:55.889Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68653a166f40f0eb7292c93f

Added to database: 7/2/2025, 1:54:30 PM

Last enriched: 7/2/2025, 2:11:26 PM

Last updated: 7/10/2025, 4:16:43 AM

Views: 32

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats