CVE-2025-54084
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-12

Assigner: Fluid Attacks

Description
OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-12
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-54084
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
broadcom bcm68380 *
calix gigacenter_ont 12.2.13.4
calix gigacenter_ont 4.16l.05xponpatch2
quantenna qt3840bc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-54084 is an OS command injection vulnerability in Calix GigaCenter ONT devices (models 844E, 844G, 844GE, 854GE) that allows authenticated attackers with 'super' user credentials to execute arbitrary operating system commands remotely. The flaw exists in the Quantenna SoC firmware's web interface, specifically in the file /var/www/tools_command.php, due to improper input validation. Exploiting this vulnerability involves logging into the device's web interface, obtaining a CSRF token, and injecting OS commands, potentially leading to full system compromise. [1]

Impact Analysis

This vulnerability can lead to full system compromise of the affected Calix GigaCenter ONT devices. An attacker with 'super' user credentials can remotely execute arbitrary OS commands, potentially gaining unauthorized control over the device, opening backdoor shells, and manipulating the system. This can disrupt network operations, compromise data integrity, and allow further attacks within the network. [1]

Detection Guidance

This vulnerability can be detected by attempting to access the Quantenna web interface at http://169.254.1.2:80/login.php and checking for the presence of the vulnerable endpoint /var/www/tools_command.php. An authenticated user with 'super' credentials can try to retrieve a CSRF token from tools_command.php and test for command injection by injecting harmless OS commands. Additionally, monitoring for unusual network activity such as connections to port 4444 (used by the backdoor shell in the proof-of-concept) can help detect exploitation attempts. For example, you can use commands like `netstat -an | grep 4444` on the device to check for listening backdoor shells, or use network monitoring tools to detect unexpected outbound connections on that port. [1]

Mitigation Strategies

The immediate mitigation step is to apply the official firmware patch R12.2.13.4 provided by Calix, which fixes the vulnerability. Since the patch is only accessible to authorized users, subscribers should contact their broadband service providers (BSPs) to coordinate the update. Until the patch is applied, restrict access to the Quantenna web interface, change default or known 'super' user credentials, and monitor for suspicious activity such as unexpected shell access or network connections on port 4444. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart