Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Default SFTP server is remotely reachable and bypasses auth, so AV:N/AC:L/PR:N/UI:N; read and modify of system files gives C:H/I:H, and no described DoS gives A:N.
Primary rating from Vendor (Ciena).
CVSS VectorVendor: Ciena
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authentication bypass vulnerability exists in the default SFTP server component utilized across the Ciena products listed. This vulnerability allows a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to the underlying filesystem. Successful exploitation could allow an attacker to read or modify system files.
AnalysisAI
Authentication bypass in the default SFTP server component shared across Ciena's 6500 S-Series, 6500 T-Series, PTS, and CPL packet-optical transport platforms allows a remote, unauthenticated attacker to reach the underlying filesystem and read or modify system files. Rated CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and classified as CWE-288, the flaw undermines the primary access control on management-plane file transfer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The prerequisite is network reachability to the default-enabled SFTP server component on an affected Ciena element (6500 S-Series R16.96 and prior, 6500 T-Series R16.1 and prior, PTS R16.1 and prior, or CPL R12.63 and prior); no credentials, no user interaction, and no non-default configuration are required, since the SFTP server is described as running by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a genuine high-priority issue rather than a paper-tiger high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a Ciena 6500, PTS, or CPL element's SFTP service connects and leverages the authentication bypass to obtain filesystem access without valid credentials, then downloads sensitive configuration or credential files and/or writes modified system files to tamper with the device. No user interaction or prior authentication is required (AV:N/AC:L/PR:N/UI:N), so a single crafted SFTP session is sufficient; no public POC is currently known. |
| Remediation | Upgrade each affected platform to a Ciena release later than the listed vulnerable versions - 6500 S-Series beyond R16.96, 6500 T-Series and PTS beyond R16.1, and CPL beyond R12.63 - using the fixed builds identified in Ciena's advisory at https://www.ciena.com/product-security (no vendor-released patch version is independently confirmed from the available data, so obtain exact fixed builds from Ciena support). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all affected Ciena platforms (6500 S-Series, 6500 T-Series, PTS, CPL); restrict SFTP inbound access via firewall to authorized networks only; enable audit logging for all SFTP and file-system access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41884
GHSA-m6c7-7xhp-6vhc