Cyber Resilience

CVE-2025-22939

CriticalPublic PoCRCE

Published: 31 March 2025

Published
31 March 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0541 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22939 is a critical-severity Command Injection (CWE-77) vulnerability in Adtran 411 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

A command injection vulnerability exists in the telnet service of Adtran 411 ONT devices running firmware L80.00.0011.M2. The flaw, tracked as CVE-2025-22939 and assigned CWE-77, permits unauthenticated remote attackers to inject and execute operating system commands. It carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

An attacker with network access to the telnet service can exploit the injection to escalate privileges directly to root and run arbitrary commands on the device. No user interaction or credentials are required, enabling straightforward remote compromise of affected ONT units deployed in ISP environments.

Public references, including technical write-ups and demonstration material, document the issue but do not include vendor-issued patches or official mitigation guidance. The EPSS score rose from lower values to a peak of 0.1822 before receding to the current 0.0541, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

A command injection vulnerability in the telnet service of Adtran 411 ONT L80.00.0011.M2 allows attackers to escalate privileges to root and execute arbitrary commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in exposed telnet service directly enables remote unauthenticated arbitrary command execution on Unix-based device and root privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22941Same product: Adtran 411
CVE-2025-22937Same product: Adtran 411
CVE-2025-22940Same product: Adtran 411
CVE-2025-22938Same product: Adtran 411
CVE-2025-64424Shared CWE-77
CVE-2026-38703Shared CWE-77
CVE-2024-53945Shared CWE-77
CVE-2026-38702Shared CWE-77
CVE-2026-20094Shared CWE-77
CVE-2026-3519Shared CWE-77

Affected Assets

adtran
411 firmware
l80.00.0011.m2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the command injection flaw via firmware patching directly prevents exploitation of CVE-2025-22939 in the Adtran 411 ONT telnet service.

prevent

Validating all inputs to the telnet service blocks specially crafted payloads that enable command injection and root escalation.

prevent

Prohibiting or restricting the telnet service enforces least functionality, eliminating network exposure to this unauthenticated remote vulnerability.

References