CVE-2025-35021
📋 TL;DR
This vulnerability allows attackers to bypass SSH authentication on unconfigured Abilis CPX devices by making three failed login attempts, then gaining access to a restricted shell on the fourth attempt. From this shell, attackers can relay connections to other systems. This affects organizations using Abilis CPX devices that haven't been properly configured.
💻 Affected Systems
- Abilis CPX
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain initial access to network infrastructure, pivot to internal systems, and potentially compromise critical network segments or exfiltrate sensitive data.
Likely Case
Attackers gain limited shell access to unconfigured devices, enabling reconnaissance and potential lateral movement within the network.
If Mitigated
Properly configured devices with authentication enabled remain unaffected, limiting impact to misconfigured or newly deployed systems.
🎯 Exploit Status
Exploitation requires no credentials and follows a simple pattern of failed authentication attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R9.0.7
Vendor Advisory: https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7
Restart Required: Yes
Instructions:
1. Download R9.0.7 firmware from Abilis support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or CLI. 4. Reboot device. 5. Verify version shows R9.0.7.
🔧 Temporary Workarounds
Configure SSH Authentication
allEnable SSH authentication with strong credentials on all CPX devices
CONFIG SSH AUTHENTICATION ENABLE
CONFIG SSH USER ADD username password
Network Access Control
allRestrict SSH access to trusted management networks only
CONFIG SSH ACCESS-CONTROL ADD ip-address subnet-mask
🧯 If You Can't Patch
- Ensure all CPX devices have SSH authentication properly configured with strong passwords
- Implement network segmentation to isolate CPX devices from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Attempt SSH login with any username and wrong password three times, then try fourth attempt with any credentials. If you get a restricted shell prompt, device is vulnerable.Check Version:
SHOW VERSIONVerify Fix Applied:
After patching, repeat the vulnerable test. You should receive authentication failure on all attempts with no shell access.📡 Detection & Monitoring
Log Indicators:
- Three consecutive SSH authentication failures followed by successful login
- SSH sessions from unusual IP addresses
- Restricted shell access logs
Network Indicators:
- SSH connection patterns of 3 failures then success
- Unusual outbound connections from CPX devices
SIEM Query:
source="cpix-logs" event_type="ssh_auth" (result="failure" count>=3 within 10s) followed by result="success"🔗 References
- https://support.abilis.net/relnotes/cpx2k/R9.0.html#R9.0.7
- https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100
- https://www.runzero.com/advisories/abilis-cpx-authentication-bypass-cve-2025-35021/
