CVE-2025-27023

EUVD-2025-19696

02.07.2025, 10:15

Lack or insufficent input validation in WebGUI CLI web in Infinera G42
version R6.1.3 allows remote authenticated users to read all OS files
via crafted CLI commands.

Details: The web interface based management of the Infinera G42 appliance enables the feature of
executing a restricted set of commands. This feature
also offers the option to execute a script-file already present on the target
device. When a non-script or incorrect file is specified, the content
of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ENISA	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Affected Products (NVD)

Vendor	Product	Version
nokia	g42_firmware	6.1.3 ≤ 𝑥 < 7.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27023

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27023