CVE-2025-27020 – An improper SSH configuration in Infinera MTC-9... (How to Fix)

Q: What is the severity of CVE-2025-27020?

CVE-2025-27020 has a CVSS score of 9.8 (CRITICAL). An improper SSH configuration in Infinera MTC-9 allows unauthenticated attackers to execute arbitrary commands and access the file system. This affects MTC-9 devices running R22.1.1.0275 up to versions before R23.0.

📋 TL;DR

An improper SSH configuration in Infinera MTC-9 allows unauthenticated attackers to execute arbitrary commands and access the file system. This affects MTC-9 devices running R22.1.1.0275 up to versions before R23.0.

💻 Affected Systems

Products:

Infinera MTC-9

Versions: R22.1.1.0275 to versions before R23.0

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with SSH service enabled in the vulnerable configuration.

📦 What is this software?

Infinera Mtc 9 Firmware by Nokia

View all CVEs affecting Infinera Mtc 9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, service disruption, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive data and execution of malicious commands on affected devices.

🟢

If Mitigated

Limited impact if SSH is properly secured with authentication and network restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely involves connecting to SSH with improper authentication settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R23.0 or later

Vendor Advisory: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020

Restart Required: Yes

Instructions:

1. Check current version with vendor-specific command. 2. Upgrade to R23.0 or later following Infinera's official upgrade procedures. 3. Restart the device as required.

🔧 Temporary Workarounds

Disable SSH or restrict access

linux

Disable SSH service if not needed, or restrict SSH access to trusted IPs only.

# Disable SSH: systemctl stop sshd; systemctl disable sshd
# Restrict SSH in sshd_config: AllowUsers user@trusted_ip

🧯 If You Can't Patch

Implement strict network access controls to limit SSH traffic to trusted sources only.
Monitor SSH logs for unauthorized access attempts and review file system integrity regularly.

🔍 How to Verify

Check if Vulnerable:

Check the device version; if it's R22.1.1.0275 or later but before R23.0, it is vulnerable.

Check Version:

Use Infinera-specific CLI command to check firmware version (e.g., 'show version' or similar).

Verify Fix Applied:

Verify the device version is R23.0 or later after patching.

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts from unknown IPs
Unusual command execution in SSH logs

Network Indicators:

SSH connections from unexpected sources
Anomalous outbound traffic post-SSH access

SIEM Query:

source="ssh_logs" AND (event="authentication failure" OR event="session opened") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-27020

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.18% exploit probability (39.1th percentile)

Published: December 8, 2025

Last Updated: December 22, 2025

🔗 References

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27020, you might also want to check these: