Calix GigaCenter ONT - Unauthenticated Telnet
Discovered by
External Pentester
Summary
Full name
Unauthenticated Telnet Access in Calix Gigacenter ONT grants administrative access
Code name
State
Public
Release date
9 de set. de 2025
Affected product
Calix GigaCenter
Vendor
Calix
Affected version(s)
844E, 844G, 844GE and 854GE
Fixed version(s)
R12.2.13.4 patch available to authorised users
Vulnerability name
Exposed administrative services
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS v4.0 base score
8.7
Exploit available
No
CVE ID(s)
Description
The Calix GigaCenter ONT 844E, 844G, 844GE, and 854GE are affected by a vulnerability in their firmware design. During the boot process, after the Broadcom System-on-Chip (SoC) completes initialization, it enables the Quantenna SoC to boot. As part of this process, the Quantenna interface becomes active and exposes additional internal services. It has been discovered that the Telnet service is accessible via the Quantenna interface IP without requiring authentication. This exposure allows an attacker with access to the local network (LAN) to connect to the Telnet service and gain unauthorized, high-privilege access to the device.
Vulnerability
Steps to reproduce the vulnerability:
Run an Nmap scan on port 23 at [Quantenna interface IP address], using the following command:
sudo nmap -n -Pn -p 23 [Quantenna interface IP address]Next, start a Telnet session to address [Quantenna interface IP address].
When prompted for a username, enter "admin" or "root."
The system won't ask for a password because these two root users don't have a password set on the system.
This can be verified by checking the '/etc/shadow' file.
Evidence of Exploitation
Interface [Quantenna interface IP address] is discovered during the boot process of the Broadcom SoC:
Port scan of IP [Quantenna interface IP address]:
Unauthenticated root access to the Telnet service via the 'admin' user:
Telnet access + PSK leak:
Our security policy
We have reserved the ID CVE-2025-7635 to refer to this issue from now on.
System Information
Calix GigaCenter ONT 844E, 844G, 844GE and 854GE.
Firmware version 4.16L.05xponpatch2 (build timestamp 230328_1137)
References
Vendor: https://www.calix.com
Security: https://www.calix.com/security.html
Mitigation
This issue is resolved in the R12.2.13.4 patch available to authorised users. Subscribers with concerns about the security of the ONT servicing their premises should contact their BSP to push the update, as these devices are not licensed to consumers.
Credits
The vulnerability was discovered by Danilo Erazo, an independent security researcher.
Timeline
16 de fev. de 2025
Vulnerability discovered
21 de jul. de 2025
Vendor contacted
1 de ago. de 2025
Vendor replied
9 de set. de 2025
Vendor confirmed
1 de ago. de 2025
Vulnerability patched
9 de set. de 2025
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
