Calix GigaCenter ONT firmware - Sensitive Information Disclosure

5,1

Medium

5,1

Medium

Discovered by

Danilo Erazo

External Pentester

Summary

Full name

Sensitive Information Disclosure in ONT GigaCenter Firmware

Code name

State

Public

Release date

9 de set. de 2025

Affected product

Calix GigaCenter ONT

Vendor

Calix

Affected version(s)

844E, 844G, 844GE and 854GE

Fixed version(s)

R12.2.13.4 patch available to authorised users

Vulnerability name

Sensitive information in source code - Credentials

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS v4.0 base score

5.1

Exploit available

No

Description

The Calix GigaCenter ONT 844E, 844G, 844GE, and 854GE store sensitive credentials insecurely in firmware. The Quantenna SoC firmware extracted from SPI flash memory contains the WPA2 PSK in plaintext and weakly hashed administrative credentials for the Quantenna device's web interface, allowing attackers with physical access to recover network and device access credentials.

Vulnerability

Steps to reproduce the vulnerability:

  1. Extract the firmware from the SPI SOP8 flash memory using the CH341 programmer.

  2. Extract the JFFS2 file system from the firmware.

  3. Recover WPA2 password from hostapd.conf file.

  4. Retrieve the credentials for the Quantenna hidden web app from the admin.conf file.

  5. Crack MD5 hashes in under 1 minute using the rockyou.txt dictionary.

  6. Access the Quantenna web app with the "super" user credentials.

Evidence of Exploitation

Evidence of the extracted file system and the file with the web application user credentials:

Cracking MD5 hashes of the admin.conf file:

Access the web application with the obtained credentials (super:super):

Access the WPA2 PSK key located in the hostapd.conf file:

Our security policy

We have reserved the ID CVE-2025-54083 to refer to this issue from now on.

Disclosure policy

System Information

  • Calix GigaCenter ONT 844E, 844G, 844GE and 854GE.

  • Firmware version 4.16L.05xponpatch2 (build timestamp 230328_1137)

References

Mitigation

This issue is resolved in the R12.2.13.4 patch available to authorised users. Subscribers with concerns about the security of the ONT servicing their premises should contact their BSP to push the update, as these devices are not licensed to consumers.  

Credits

The vulnerability was discovered by Danilo Erazo,  an independent security researcher.

Timeline

16 de fev. de 2025

Vulnerability discovered

21 de jul. de 2025

Vendor contacted

1 de ago. de 2025

Vendor replied

1 de ago. de 2025

Vendor confirmed

5 de set. de 2025

Vulnerability patched

9 de set. de 2025

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.