CVE-2021-25681
CVE-2021-25681 is a high-severity vulnerability in Adtran Personal Phone Manager with a CVSS 3.x base score of 7.5. Its EPSS exploit-prediction score of 13% places it in the 96th percentile, indicating an elevated likelihood of exploitation.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 13% (96th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Adtran Personal Phone Manager
- Published:
- Last modified:
Description
AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched.
Frequently asked questions
- What is CVE-2021-25681?
- AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched.
- How severe is CVE-2021-25681?
- CVE-2021-25681 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-25681 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 13% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-25681?
- CVE-2021-25681 affects Adtran Personal Phone Manager. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-25681?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-25681 published?
- CVE-2021-25681 was published on 2021-04-20 and last updated on 2026-07-05.
References
- http://packetstormsecurity.com/files/162280/Adtran-Personal-Phone-Manager-10.8.1-DNS-Exfiltration.html
- https://github.com/3ndG4me/AdTran-Personal-Phone-Manager-Vulns/blob/main/CVE-2021-25681.md
- http://adtran.com
Affected products (1)
- cpe:2.3:a:adtran:personal_phone_manager:10.8.1:*:*:*:*:*:*:*
More vulnerabilities in Adtran Personal Phone Manager
- CVE-2021-25680 — Medium (CVSS 6.1): The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These…
- CVE-2021-25679 — Medium (CVSS 5.4): The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues.…