CVE-2025-2398
📋 TL;DR
This critical vulnerability in China Mobile networking devices allows attackers to use default credentials to gain unauthorized access via the CLI su command handler. Affected devices include P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P models. Remote attackers can exploit this to execute commands with elevated privileges.
💻 Affected Systems
- China Mobile P22g-CIac
- ZXWT-MIG-P4G4V
- ZXWT-MIG-P8G8V
- GT3200-4G4P
- GT3200-8G8P
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to reconfigure network settings, intercept traffic, install persistent backdoors, or use as pivot point for lateral movement.
Likely Case
Unauthorized administrative access enabling configuration changes, service disruption, credential harvesting, and potential data exfiltration.
If Mitigated
Limited impact with proper network segmentation, credential rotation, and access controls preventing exploitation attempts.
🎯 Exploit Status
Exploit details are publicly disclosed but no proof-of-concept code is available. Attack requires knowledge of default credentials and CLI access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 20250305
Vendor Advisory: No vendor advisory available - vendor did not respond to disclosure
Restart Required: No
Instructions:
1. Contact China Mobile for updated firmware versions after 20250305. 2. Apply firmware updates to all affected devices. 3. Verify default credentials are changed during update process.
🔧 Temporary Workarounds
Change Default Credentials
allImmediately change all default passwords and usernames on affected devices
configure terminal
username admin secret <new_strong_password>
end
write memory
Restrict CLI Access
allLimit CLI access to trusted management networks only
access-list 10 permit <trusted_network>
line vty 0 4
access-class 10 in
transport input ssh
end
write memory
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules
- Implement network monitoring for unauthorized CLI access attempts
- Disable telnet and enforce SSH with certificate authentication
- Regularly audit device configurations for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Attempt to access device CLI using default credentials via telnet/SSH. Check if su command allows privilege escalation without proper authentication.Check Version:
show version | include VersionVerify Fix Applied:
Verify firmware version is newer than 20250305. Test that default credentials no longer work and su command requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login
- Multiple su command executions from unusual sources
- Configuration changes from unauthorized users
Network Indicators:
- Telnet/SSH connections from unexpected IP addresses
- Unusual CLI command patterns in network traffic
SIEM Query:
source="network_device" (event_type="authentication" AND result="success" AND user="default_user") OR (event_type="command" AND command="su")🔗 References
- https://github.com/Fizz-L/Vulnerability-report/blob/main/Unauthorized%20access%20to%20execute%20the%20telnet%20command.md
- https://vuldb.com/?ctiid.299897
- https://vuldb.com/?id.299897
- https://github.com/Fizz-L/Vulnerability-report/blob/main/Unauthorized%20access%20to%20execute%20the%20telnet%20command.md
