Calix GigaCenter ONT firmware - Sensitive Information Disclosure

Description

The Calix GigaCenter ONT 844E, 844G, 844GE, and 854GE store sensitive credentials insecurely in firmware. The Quantenna SoC firmware extracted from SPI flash memory contains the WPA2 PSK in plaintext and weakly hashed administrative credentials for the Quantenna device's web interface, allowing attackers with physical access to recover network and device access credentials.

Vulnerability

Steps to reproduce the vulnerability:

1. Extract the firmware from the SPI SOP8 flash memory using the CH341 programmer.

2. Extract the JFFS2 file system from the firmware.

3. Recover WPA2 password from hostapd.conf file.

4. Retrieve the credentials for the Quantenna hidden web app from the admin.conf file.

5. Crack MD5 hashes in under 1 minute using the rockyou.txt dictionary.

6. Access the Quantenna web app with the "super" user credentials.

Evidence of Exploitation

Evidence of the extracted file system and the file with the web application user credentials:

Cracking MD5 hashes of the admin.conf file:

Access the web application with the obtained credentials (super:super):

Access the WPA2 PSK key located in the hostapd.conf file:

Our security policy

We have reserved the ID CVE-2025-54083 to refer to this issue from now on.

Disclosure policy

System Information

• Calix GigaCenter ONT 844E, 844G, 844GE and 854GE.

• Firmware version 4.16L.05xponpatch2 (build timestamp 230328_1137)

References

• Vendor: https://www.calix.com

• Security: https://www.calix.com/security.html

• Researcher's blog: https://revers3everything.com/calix-case-five-0-days-five-cves/

Mitigation

This issue is resolved in the R12.2.13.4 patch available to authorised users. Subscribers with concerns about the security of the ONT servicing their premises should contact their BSP to push the update, as these devices are not licensed to consumers.  

Credits

The vulnerability was discovered by Danilo Erazo,  an independent security researcher.