CVE-2025-35021 is a vulnerability in the Abilis CPX device stemming from insecure default initialization of resources (CWE-1188). Specifically, when an Abilis CPX device is in an unconfigured state, its SSH authentication mechanism allows an attacker to bypass normal authentication controls. By attempting to authenticate via SSH and deliberately failing three times, the attacker can gain access to a restricted shell on the fourth attempt without providing valid credentials. This restricted shell access enables the attacker to relay network connections, potentially allowing unauthorized access to internal network resources or facilitating lateral movement within a network. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it relatively easy to exploit in environments where devices remain in default or unconfigured states. The CVSS v3.1 base score is 6.5 (medium), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact but no availability impact. No patches or known exploits are currently reported, but the vulnerability poses a significant risk if devices are deployed without proper configuration. The root cause is the insecure default initialization of the SSH service on the device, which fails to enforce authentication properly. This issue highlights the importance of secure device provisioning and configuration management in network infrastructure devices.

For European organizations, especially those in telecommunications, industrial control, and critical infrastructure sectors using Abilis CPX devices, this vulnerability could lead to unauthorized access to network segments. The ability to relay connections from a restricted shell can facilitate lateral movement, data exfiltration, or unauthorized service access, impacting confidentiality and integrity of sensitive data and systems. Although availability is not directly affected, the compromise of network devices can undermine trust in network security and lead to broader operational disruptions. Organizations with unconfigured or newly deployed Abilis CPX devices are at highest risk, as the vulnerability requires the device to be in an unconfigured state. The medium severity rating indicates a moderate risk, but the ease of exploitation without authentication or user interaction increases the urgency for mitigation. The lack of known exploits in the wild suggests this is a preemptive concern, but attackers could develop exploits rapidly given the straightforward bypass method. European entities involved in critical communications infrastructure or industrial automation may face increased risk due to the strategic importance of these devices in network operations.

1. Ensure all Abilis CPX devices are fully configured before deployment, avoiding any default or uninitialized states that expose the SSH service with insecure defaults. 2. Disable SSH access on devices until proper authentication mechanisms are configured and verified. 3. Implement network segmentation and access control lists (ACLs) to restrict SSH access to trusted management networks only. 4. Monitor SSH login attempts for unusual patterns, such as repeated failed authentications followed by successful restricted shell access, and alert on such anomalies. 5. Apply any vendor-provided patches or firmware updates as soon as they become available to address this vulnerability. 6. Conduct regular audits of device configurations to ensure no devices remain in unconfigured or default states. 7. Employ multi-factor authentication (MFA) for device management interfaces where supported to add an additional layer of security. 8. Train network administrators on secure provisioning practices and the risks of default configurations. 9. Consider deploying intrusion detection/prevention systems (IDS/IPS) that can detect and block suspicious SSH activity targeting these devices. 10. Maintain an inventory of all Abilis CPX devices to quickly identify and remediate vulnerable units.