CVE-2025-22941 – A command injection vulnerability in Adtran 411... (How to Fix)

📋 TL;DR

A command injection vulnerability in Adtran 411 ONT web interface allows attackers to execute arbitrary commands with root privileges. This affects systems running the vulnerable firmware version. Network administrators using these devices are at risk.

💻 Affected Systems

Products:

Adtran 411 ONT

Versions: L80.00.0011.M2

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface. Devices with web interface exposed are vulnerable.

📦 What is this software?

411 Firmware by Adtran

View all CVEs affecting 411 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing attackers to install persistent backdoors, exfiltrate data, pivot to other network segments, or disrupt network services.

🟠

Likely Case

Attackers gain root shell access to modify device configuration, intercept network traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the affected device only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to web interface. Public technical details available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Adtran support for firmware updates
2. Download latest firmware if available
3. Backup current configuration
4. Upload and apply new firmware
5. Verify functionality after update

🔧 Temporary Workarounds

Disable web interface

all

Disable the vulnerable web management interface

Use CLI to disable web interface: configure terminal
no ip http server
end
write memory

Restrict web interface access

all

Limit web interface access to trusted management networks only

configure terminal
ip http access-class TRUSTED-NETWORK
end
write memory

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or CLI: show version

Check Version:

show version

Verify Fix Applied:

Verify firmware version is updated beyond L80.00.0011.M2

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login
Web interface access from unusual IP addresses

Network Indicators:

Unexpected outbound connections from ONT device
Unusual traffic patterns to/from management interface

SIEM Query:

source="adtran-ont" AND (event_type="command_execution" OR auth_success="true" AFTER auth_failure>3)

📊 Metadata

CVE ID: CVE-2025-22941

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 12.86% exploit probability (93.9th percentile)

Published: March 31, 2025

Last Updated: August 18, 2025

🔗 References

https://drive.google.com/file/d/1levaZk5aC6g6a2zPW8xlOIVAu9MFYvAz/view Exploit,Third Party Advisory
https://lanrat.com/posts/adtran-isp-hacking/
https://drive.google.com/file/d/1levaZk5aC6g6a2zPW8xlOIVAu9MFYvAz/view Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22941, you might also want to check these: