A critical vulnerability has been discovered in multiple Infinera products, specifically affecting the MTC-9 platform. This flaw stems from an improper configuration of the SSH service, which allows an unauthenticated remote attacker to bypass security controls, execute arbitrary commands, and access sensitive data on the underlying file system, potentially leading to a complete system compromise.

The vulnerability is an improper configuration within the SSH service on affected Infinera devices. This misconfiguration allows an attacker to connect to the device without providing valid credentials. Upon successful connection, the attacker can execute arbitrary commands with the privileges of the SSH service, granting them unauthorized control over the device and access to the entire file system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a severe impact on business operations, leading to a complete loss of confidentiality, integrity, and availability of the affected device. An attacker could exfiltrate sensitive network configuration data, disrupt network services by modifying or deleting critical files, or use the compromised device as a pivot point to launch further attacks against the internal network.

Immediate Action: Immediately apply the vendor-supplied security update to upgrade affected Infinera MTC-9 devices to version R23.0 or a later release. After patching, it is crucial to review SSH access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement continuous monitoring of network traffic to and from affected devices. Specifically, monitor for unusual or unauthorized SSH connection attempts (port 22) from unknown IP addresses. Review system and audit logs for unexpected command execution or file modifications that could indicate a successful exploit.

Compensating Controls: If immediate patching is not feasible, implement network-level access controls as a temporary mitigation. Use a firewall or Access Control Lists (ACLs) to restrict SSH access to the affected devices, allowing connections only from a trusted management network or specific, authorized IP addresses.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate risk to the organization. We strongly recommend that the vendor's patch be applied to all affected Infinera MTC-9 devices with the highest priority. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for exploitation, and it should be remediated as an emergency change.