CVE-2025-2398
Published: 17 March 2025
Summary
CVE-2025-2398 is a high-severity Use of Default Credentials (CWE-1392) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates changing default authenticators prior to first use, preventing exploitation of default credentials in the CLI su Command Handler.
Requires management of accounts including disabling unnecessary ones and establishing strong initial authenticators, mitigating default credential usage.
Establishes and enforces secure configuration settings that include changing default credentials and hardening CLI interfaces against this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE is explicitly mapped to CWE-1392 (Use of Default Credentials) and describes exploitation of default credentials enabling remote unauthorized access and command execution (e.g., telnet) on the affected CLI.
NVD Description
A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been rated as critical. This issue affects some unknown processing of the component CLI su Command Handler. The manipulation leads to use…
more
of default credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2398 is a vulnerability in the CLI su Command Handler of China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P, and GT3200-8G8P devices running firmware up to version 20250305. Rated as critical with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-1392 (Use of Default Credentials), the flaw allows manipulation leading to exploitation of default credentials.
The vulnerability can be exploited remotely by attackers who possess high privileges on the affected system. Successful exploitation enables high confidentiality, integrity, and availability impacts, facilitating unauthorized access such as execution of telnet commands, as detailed in public disclosures.
Advisories from VulDB and GitHub vulnerability reports indicate that the vendor was contacted early regarding the issue but provided no response. No patches or official mitigations are mentioned, and the exploit has been publicly disclosed, including proof-of-concept details in repositories like https://github.com/Fizz-L/Vulnerability-report/blob/main/Unauthorized%20access%20to%20execute%20the%20telnet%20command.md and VulDB entries at https://vuldb.com/?ctiid.299897 and https://vuldb.com/?id.299897.
Details
- CWE(s)