CVE-2025-54084
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-12
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| broadcom | bcm68380 | * |
| calix | gigacenter_ont | 12.2.13.4 |
| calix | gigacenter_ont | 4.16l.05xponpatch2 |
| quantenna | qt3840bc | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54084 is an OS command injection vulnerability in Calix GigaCenter ONT devices (models 844E, 844G, 844GE, 854GE) that allows authenticated attackers with 'super' user credentials to execute arbitrary operating system commands remotely. The flaw exists in the Quantenna SoC firmware's web interface, specifically in the file /var/www/tools_command.php, due to improper input validation. Exploiting this vulnerability involves logging into the device's web interface, obtaining a CSRF token, and injecting OS commands, potentially leading to full system compromise. [1]
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise of the affected Calix GigaCenter ONT devices. An attacker with 'super' user credentials can remotely execute arbitrary OS commands, potentially gaining unauthorized control over the device, opening backdoor shells, and manipulating the system. This can disrupt network operations, compromise data integrity, and allow further attacks within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the Quantenna web interface at http://169.254.1.2:80/login.php and checking for the presence of the vulnerable endpoint /var/www/tools_command.php. An authenticated user with 'super' credentials can try to retrieve a CSRF token from tools_command.php and test for command injection by injecting harmless OS commands. Additionally, monitoring for unusual network activity such as connections to port 4444 (used by the backdoor shell in the proof-of-concept) can help detect exploitation attempts. For example, you can use commands like `netstat -an | grep 4444` on the device to check for listening backdoor shells, or use network monitoring tools to detect unexpected outbound connections on that port. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official firmware patch R12.2.13.4 provided by Calix, which fixes the vulnerability. Since the patch is only accessible to authorized users, subscribers should contact their broadband service providers (BSPs) to coordinate the update. Until the patch is applied, restrict access to the Quantenna web interface, change default or known 'super' user credentials, and monitor for suspicious activity such as unexpected shell access or network connections on port 4444. [1]