cbcvebase.
CVE-2021-25681
published 2021-04-20

CVE-2021-25681: AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.42%
95.9th percentile
AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched

Affected

1 ranges
VendorProductVersion rangeFixed in
adtranpersonal_phone_manager

Detection & IOCsextracted from sources · hover to see the quote

urlGET http://mydns.attack.com/ HTTP/1.1
commandGET http://mydns.attack.com/ HTTP/1.1
  • Detect HTTP GET requests to the AdTran Personal Phone Manager server where the Host header does not match the GET request URI (i.e., the GET line references an external/attacker-controlled domain), which is the trigger for arbitrary DNS resolution and tunneling.
  • Monitor AdTran Personal Phone Manager (NetVanta 7060/7100) servers for outbound DNS queries to domains not matching the application's own namespace — especially queries triggered by inbound HTTP requests with mismatched Host vs. GET-line URIs, which indicates DNS tunneling/C2 redirection abuse.
  • Look for HTTP requests to AdTran Personal Phone Manager with Cache-Control: no-cache, no-transform and Pragma: no-cache headers combined with an external domain in the request line — this matches the PoC exploit pattern.
  • ·The vulnerability affects only AdTran Personal Phone Manager v10.8.1 running on NetVanta 7060 and NetVanta 7100 appliances, both of which are End of Life (software support ended June 2018, product EOL December 2020). No patch will be issued by AdTran.
  • ·Exploitation requires the AdTran Personal Phone Manager web server to be exposed/reachable by the attacker. Restricting external access to the management interface reduces attack surface.
  • ·Mitigation guidance from the researcher is to reconfigure the server to not perform arbitrary DNS lookups when Host/GET requests do not match, and to scope requests only within the application context — however, since the product is EOL, vendor-supported remediation is unavailable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_cisco8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.