Critical 2025 Raisecomm Authentication Bypass: Root Access Risk to ICS Networks
Executive Summary
In October 2025, a critical remote authentication bypass vulnerability (CVE-2025-11534) was publicly disclosed in Raisecomm RAX701-GC series network equipment, allowing unauthenticated attackers to establish SSH sessions and gain root shell access without providing valid credentials. Discovered and reported by security researchers from runZero, this exploit poses an elevated risk to infrastructure sectors relying on these devices globally, as affected firmware versions remain susceptible with exploits achievable at low complexity and no prior privileges. Business and operational impacts include full remote compromise, lateral movement potential, and the ability for attackers to implant persistent threats or disrupt essential communications and IT operations.
The incident is especially pressing now, indicating a rising trend in targeting embedded and edge devices in critical environments via misconfigurations or software flaws. As attackers expand their focus to accessible infrastructure, organizations face increasing pressure to implement robust access controls, proactive segmentation, and defense-in-depth strategies to safeguard operational networks.
Why This Matters Now
This vulnerability presents an urgent threat because it is exploitable remotely with minimal skill, affects critical infrastructure worldwide, and lacks vendor-supported mitigations. Widespread exposure of unmanaged network devices combined with slow patch cycles makes these environments prime targets for adversaries seeking to gain unfettered system access.
Attack Path Analysis
An attacker remotely exploited a critical authentication bypass in Raisecomm RAX701-GC devices to gain unauthenticated root shell access. With root privileges, the adversary could further escalate access if segmentation or privilege restrictions were not in place. Utilizing open network paths, the attacker could pivot to adjacent systems or networks for broader compromise. Once established, the attacker may have set up command and control channels to remotely manage compromised assets. Sensitive data, configurations, or credentials could then have been exfiltrated through unmonitored or unencrypted channels. Finally, adversaries might disrupt operations, degrade device functionality, or deploy destructive actions such as configuration changes, ransomware, or system wiping.
Kill Chain Progression
Initial Compromise
Description
The attacker remotely exploited the authentication bypass vulnerability (CVE-2025-11534) via exposed SSH to access the device shell as root without credentials.
Related CVEs
CVE-2025-11534
CVSS 9.8An authentication bypass vulnerability in Raisecom RAX701-GC devices allows remote attackers to establish SSH sessions without valid credentials, potentially leading to unauthenticated root shell access.
Affected Products:
Raisecom RAX701-GC-WP-01 – P200R002C52: Firmware version 5.5.27_20190111, P200R002C53: Firmware version 5.5.13_20180720, P200R002C53: Firmware version 5.5.36_20190709
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Modify Authentication Process
Exploit Public-Facing Application
Valid Accounts
Exploitation for Privilege Escalation
Remote Services
Account Manipulation
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure proper user identification and authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Enforce Strong Authentication Mechanisms
Control ID: Identity Pillar - Authentication
NIS2 Directive – Access Control Policies and Measures
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical exposure via Raisecomm network equipment authentication bypass vulnerability enabling remote unauthenticated root access to telecommunications infrastructure devices worldwide.
Information Technology/IT
High-severity authentication bypass in IT infrastructure devices allows remote attackers complete system control, requiring immediate network isolation and VPN protection.
Internet
Internet service providers face severe risk from remotely exploitable authentication bypass in network equipment, threatening service availability and customer data.
Utilities
Critical infrastructure sectors including utilities exposed to remote authentication bypass attacks on control systems requiring enhanced network segmentation and monitoring.
Sources
- Raisecomm RAX701-GC Serieshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06Verified
- CVE-2025-11534 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-11534Verified
- Raisecom SSH Bypass (CVE-2025-11534)https://www.runzero.com/advisories/raisecom-ssh-bypass-cve-2025-11534/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls such as zero trust segmentation, egress policy enforcement, traffic encryption, and continuous threat detection would have significantly constrained or detected this attack by limiting exposure, preventing lateral movement, controlling outbound data flows, and alerting on suspicious activity.
Control: Zero Trust Segmentation
Mitigation: Reduced attack surface by only allowing trusted entities to access device management ports.
Control: Threat Detection & Anomaly Response
Mitigation: Generated alerts on abnormal authentication behavior and privilege elevation.
Control: East-West Traffic Security
Mitigation: Blocked or alerted on unauthorized lateral network communications.
Control: Inline IPS (Suricata)
Mitigation: Detection or prevention of known C2 protocols and malicious payloads.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound traffic analyzed and restricted to prevent data exfiltration.
Timely detection and centralized visibility of operational-impacting changes.
Impact at a Glance
Affected Business Functions
- Network Management
- Remote Access Control
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to sensitive network configurations and data due to unauthenticated root shell access.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately restrict management access to critical devices using zero trust segmentation and strong access controls.
- • Enforce east-west and egress policy enforcement to limit lateral movement and detect potential exfiltration behaviors.
- • Deploy inline IPS and advanced threat detection to identify and respond to unauthorized authentication and privilege use.
- • Ensure all management and sensitive data flows are encrypted end-to-end using high-performance line-rate encryption.
- • Continuously monitor cloud and hybrid environments with centralized visibility to promptly identify and mitigate deviations and threats.
