CVE-2025-27021

02.07.2025, 09:15

The misconfiguration in the sudoers configuration of the operating system in
 Infinera G42 version R6.1.3 allows low privileged OS users to 
read/write physical memory via devmem command line tool. 
This could 
allow sensitive information disclosure, denial of service, and privilege 
escalation by tampering with kernel memory.


Details: The output of "sudo -l" reports the presence of "devmem" command 
executable as super user without using a password. This command allows 
to read and write an arbitrary memory area of the target device, 
specifying an absolute address.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA	CNA	7 HIGH	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Common Weakness Enumeration

CWE-266 - Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27021

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27021