CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27026 – Improper Access Control Granularity impacting Infinera G42
https://notcve.org/view.php?id=CVE-2025-27026
02 Jul 2025 — A missing double-check feature in the WebGUI for CLI deactivation in Infinera G42 version R6.1.3 allows an authenticated administrator to make other management interfaces unavailable via local and network interfaces. The CLI deactivation via the WebGUI does not only stop CLI interface but deactivates also Linux Shell, WebGUI and Physical Serial Console access. No confirmation is asked at deactivation time. Loosing access to these services device administrators are at risk of completely loosing device contro... • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27026 • CWE-1220: Insufficient Granularity of Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27025 – Improper File Access in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27025
02 Jul 2025 — The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any location of the device file system. • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27025 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27024 – Improper File Access in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27024
02 Jul 2025 — Unrestricted access to OS file system in SFTP service in Infinera G42 version R6.1.3 allows remote authenticated users to read/write OS files via SFTP connections. Details: Account members of the Network Administrator profile can access the target machine via SFTP with the same credentials used for SSH CLI access and are able to read all files according to the OS permission instead of remaining inside the chrooted directory position. • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27024 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27023 – Improper Input Validation in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27023
02 Jul 2025 — Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error messag... • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27023 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27022 – Path Traversal Vulnerability in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27022
02 Jul 2025 — A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service. • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27022 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27021 – Operating System Misconfiguration in Infinera G42
https://notcve.org/view.php?id=CVE-2025-27021
02 Jul 2025 — The misconfiguration in the sudoers configuration of the operating system in Infinera G42 version R6.1.3 allows low privileged OS users to read/write physical memory via devmem command line tool. This could allow sensitive information disclosure, denial of service, and privilege escalation by tampering with kernel memory. Details: The output of "sudo -l" reports the presence of "devmem" command executable as super user without using a password. This command allows to read and write an arbitrary memory area ... • https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27021 • CWE-266: Incorrect Privilege Assignment •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25661
https://notcve.org/view.php?id=CVE-2024-25661
01 Oct 2024 — In Infinera TNMS (Transcend Network Management System) 19.10.3, cleartext storage of sensitive information in memory of the desktop application TNMS Client allows guest OS administrators to obtain various users' passwords by reading memory dumps of the desktop application. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25661 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25659
https://notcve.org/view.php?id=CVE-2024-25659
01 Oct 2024 — In Infinera TNMS (Transcend Network Management System) 19.10.3, an insecure default configuration of the internal SFTP server on Linux servers allows remote attacker to access files and directories outside the SFTP user home directory. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25659 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25660
https://notcve.org/view.php?id=CVE-2024-25660
01 Oct 2024 — The WebDAV service in Infinera TNMS (Transcend Network Management System) 19.10.3 allows a low-privileged remote attacker to conduct unauthorized file operations, because of execution with unnecessary privileges. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25660 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28810
https://notcve.org/view.php?id=CVE-2024-28810
30 Sep 2024 — An issue was discovered in Infinera hiT 7300 5.60.50. Sensitive information inside diagnostic files (exported by the @CT application) allows an attacker to achieve loss of confidentiality by analyzing these files. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-28810 • CWE-312: Cleartext Storage of Sensitive Information •