CVE-2025-27019 – This critical vulnerability in Infinera MTC-9's... (How to Fix)

Q: What is the severity of CVE-2025-27019?

CVE-2025-27019 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in Infinera MTC-9's remote shell service allows unauthenticated attackers to gain full system access via reverse shells using password-less accounts. It affects MTC-9 devices running specific firmware versions, enabling complete compromise of affected systems.

📋 TL;DR

This critical vulnerability in Infinera MTC-9's remote shell service allows unauthenticated attackers to gain full system access via reverse shells using password-less accounts. It affects MTC-9 devices running specific firmware versions, enabling complete compromise of affected systems.

💻 Affected Systems

Products:

Infinera MTC-9

Versions: R22.1.1.0275 through versions before R23.0

Operating Systems: Embedded system firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the remote shell service (RSH) component specifically. All devices running affected firmware versions are vulnerable by default.

📦 What is this software?

Infinera Mtc 9 Firmware by Nokia

View all CVEs affecting Infinera Mtc 9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data exfiltration, lateral movement to other systems, and persistent backdoor installation leading to operational disruption.

🟠

Likely Case

Unauthorized remote access to the device, configuration changes, credential harvesting, and potential use as a pivot point for network attacks.

🟢

If Mitigated

Limited impact if device is isolated, has strict network controls, and reverse shell attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation leverages password-less accounts and reverse shell activation, making it straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R23.0 or later

Vendor Advisory: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019

Restart Required: Yes

Instructions:

1. Download R23.0+ firmware from Infinera support portal. 2. Backup current configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify version with 'show version' command.

🔧 Temporary Workarounds

Disable Remote Shell Service

all

Completely disable the vulnerable RSH service if not required for operations

configure terminal
no service rsh
write memory

Network Access Control

all

Restrict network access to MTC-9 management interfaces using firewall rules

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules allowing only necessary traffic
Implement network monitoring for reverse shell connections and unusual outbound connections

🔍 How to Verify

Check if Vulnerable:

Check firmware version with 'show version' command. If version is between R22.1.1.0275 and before R23.0, device is vulnerable.

Check Version:

show version

Verify Fix Applied:

After patching, verify version is R23.0 or later with 'show version'. Test RSH service functionality if required.

📡 Detection & Monitoring

Log Indicators:

Unusual RSH service activations
Failed authentication attempts to password-less accounts
Reverse shell connection logs

Network Indicators:

Unexpected outbound connections from MTC-9 devices
RSH traffic on non-standard ports
Reverse shell patterns in network traffic

SIEM Query:

source_ip=MTC-9 AND (protocol=RSH OR dest_port IN [514, 1023-65535])

📊 Metadata

CVE ID: CVE-2025-27019

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: December 8, 2025

Last Updated: December 22, 2025

🔗 References

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27019, you might also want to check these: