CVE-2025-22939

CriticalPublic PoCRCE

Published: 31 March 2025

Published

31 March 2025

Modified

18 August 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0619 90.9th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22939 is a critical-severity Command Injection (CWE-77) vulnerability in Adtran 411 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of the command injection flaw via firmware patching directly prevents exploitation of CVE-2025-22939 in the Adtran 411 ONT telnet service.

SI-10 Information Input Validation good match

prevent

Validating all inputs to the telnet service blocks specially crafted payloads that enable command injection and root escalation.

CM-7 Least Functionality good match

prevent

Prohibiting or restricting the telnet service enforces least functionality, eliminating network exposure to this unauthenticated remote vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in exposed telnet service directly enables remote unauthenticated arbitrary command execution on Unix-based device and root privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands.

Deeper analysisAI

CVE-2025-22939 is a command injection vulnerability (CWE-77) in the telnet service of the Adtran 411 ONT running firmware version L80.00.0011.M2. This flaw enables attackers to escalate privileges to root and execute arbitrary commands on the affected device. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Remote attackers can exploit this vulnerability over the network by sending specially crafted input to the telnet service, achieving unauthenticated root privilege escalation and full arbitrary command execution. Successful exploitation grants complete control over the ONT device, potentially allowing attackers to manipulate network traffic, install persistent malware, or pivot to other systems in the ISP environment.

Mitigation details and further technical analysis are available in advisories referenced at https://drive.google.com/file/d/1levaZk5aC6g6a2zPW8xlOIVAu9MFYvAz/view, https://lanrat.com/posts/adtran-isp-hacking/, and https://www.youtube.com/watch?v=Aic-QaSqjxc. Security practitioners should review these sources for patch availability or workaround guidance specific to Adtran 411 ONT deployments.