A high-severity vulnerability has been identified in the Infinera MTC-9 network appliance. This flaw, known as a Server-Side Request Forgery (SSRF), allows an unauthenticated attacker on the internet to force the device to send malicious requests to other systems within your internal network. Successful exploitation could lead to unauthorized access to internal resources, data breaches, and further network compromise.

This is a Server-Side Request Forgery (SSRF) vulnerability. A remote, unauthenticated attacker can craft a malicious HTTPS request and send it to the public-facing interface of the vulnerable Infinera MTC-9 appliance. The appliance fails to properly validate the user-supplied input in the request, causing it to initiate a new HTTPS connection to an arbitrary destination specified by the attacker. This effectively allows the appliance to act as a proxy or bridge, enabling the attacker to bypass perimeter security controls like firewalls and interact with, scan, or exfiltrate data from sensitive systems on the internal network.

This vulnerability is rated as High severity with a CVSS score of 8.6. Exploitation allows an external threat actor to pivot into the internal corporate network, posing a significant risk to the organization. Potential consequences include unauthorized access to internal web applications, databases, and file servers; reconnaissance of the internal network topology; and the potential for lateral movement leading to a wider system compromise. This could result in sensitive data exfiltration, service disruption, and significant reputational damage.

Immediate Action: Apply the security updates provided by the vendor to all affected Infinera MTC-9 appliances immediately. After patching, review device and network access logs for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic originating from the Infinera MTC-9 appliances. Specifically, look for unusual outbound HTTPS requests from the appliance to internal IP addresses and services that it does not normally communicate with. Implement alerts for connections to non-standard ports or for high volumes of connection attempts that could indicate network scanning.

Compensating Controls: If patching cannot be performed immediately, implement strict network segmentation and firewall rules to restrict the appliance's ability to initiate connections to the internal network. Only allow communication from the appliance to known, required internal systems and block all other outbound traffic from the device's management interface.

Public Exploit Available: false

Given the high severity (CVSS 8.6) of this vulnerability and its potential to grant unauthenticated attackers a foothold within the internal network, immediate action is required. Organizations must prioritize the deployment of vendor-supplied patches to all affected systems. Although this vulnerability is not currently listed on the CISA KEV list, its impact makes it a prime candidate for future inclusion and targeted exploitation. Proactive monitoring and the application of compensating controls are strongly recommended until all devices are confirmed to be patched.