CRITICAL🇵🇱 Wersja polska

CVE-2025-27020

CVSS 9.8v3.1pub. 2025-12-08upd. 2025-12-22

Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0.

🤖 AI Analysis
How it works

The SSH service on the MTC-9 device is improperly configured in a way that bypasses required authentication mechanisms (CWE-306 – missing critical identity verification). An attacker can contact the SSH service over the network without providing any credentials and gain the ability to execute system commands. The result is full access to the device's file system and the ability to run arbitrary commands from a network connection.

Impact

An unauthenticated attacker can remotely execute arbitrary commands on the device and read, modify, or delete data from the file system, leading to complete device takeover and violation of data confidentiality, integrity, and availability.

Mitigation & patch

Nokia Infinera MTC-9 firmware should be updated to version R23.0 or later. According to the description, the vulnerability was fixed in version R23.0. Until the patch is deployed, it is recommended to restrict network access to the SSH service on MTC-9 devices using firewall rules or network segmentation.

Who is affected

Nokia Infinera MTC-9 with firmware versions from R22.1.1.0275 to R23.0 (excluded).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Nokia Infinera Mtc 9

    HW
    Nokia
    wszystkie wersje
  • Nokia Infinera Mtc 9 Firmware

    OS
    Nokia
    22.1.1.0275 – 23.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-27019CRITICAL9.8PL ✓ten sam produkt

Nokia Infinera MTC-9: dostęp bez hasła przez usługę RSH umożliwia reverse shell

CVE-2025-26487HIGH8.6ten sam produkt

Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated user...

CVE-2025-26488HIGH7.5ten sam produkt

Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the ser...

CVE-2025-26489MEDIUM6.5ten sam produkt

Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash ...

CVE-2025-24936CRITICAL9.0PL ✓ten sam vendor

Command injection w Nokia Wavesuite NOC — RCE przez aplikację webową