Cyber Posture

CVE-2025-22938

CriticalPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22938 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Adtran 411 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates management of authenticators by prohibiting defaults and enforcing strength requirements to block unauthorized access via weak passwords.

AC-2 Account Management good match
prevent

AC-2 requires account management including review, disabling unused accounts, and changing default credentials to prevent exploitation of weak defaults.

CM-6 Configuration Settings good match
prevent

CM-6 enforces secure baseline configuration settings that explicitly address changing weak default passwords on devices like the Adtran 411 ONT.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The vulnerability consists of weak/default credentials on a remotely accessible device, directly enabling initial access via known default accounts without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Adtran 411 ONT L80.00.0011.M2 was discovered to contain weak default passwords.

Deeper analysisAI

CVE-2025-22938 affects the Adtran 411 ONT running firmware version L80.00.0011.M2, which contains weak default passwords. This vulnerability, published on 2025-03-31, is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-1393. The issue enables unauthorized access due to easily guessable or known default credentials on the optical network terminal (ONT) device.

A remote attacker with network access can exploit this vulnerability without privileges or user interaction by leveraging the weak default passwords to authenticate and gain control. Successful exploitation allows high-impact compromise, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, potentially leading to full device takeover.

Advisories and further details are available in the provided references, including https://drive.google.com/file/d/1levaZk5aC6g6a2zPW8xlOIVAu9MFYvAz/view and https://lanrat.com/posts/adtran-isp-hacking/.

Details

CWE(s)
CWE-1393

Affected Products

adtran
411 firmware
l80.00.0011.m2

CVEs Like This One

CVE-2025-22939Same product: Adtran 411
CVE-2025-22940Same product: Adtran 411
CVE-2025-22937Same product: Adtran 411
CVE-2025-22941Same product: Adtran 411
CVE-2024-49559Shared CWE-1393
CVE-2025-2347Shared CWE-1393
CVE-2026-33784Shared CWE-1393
CVE-2026-4404Shared CWE-1393
CVE-2025-26793Shared CWE-1393
CVE-2026-24429Shared CWE-1393

References