CVE-2025-67114
Deterministic Credential Leak in Sercomm SCE4255W Enables Authentication Bypass
Publication date: 2026-03-19
Last updated on: 2026-03-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sercomm | sce4255w | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1391 | The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the use of a deterministic credential generation algorithm in the /ftl/bin/calc_f2 component of the Small Cell Sercomm SCE4255W firmware. Because the credentials are generated deterministically based on the device's MAC address, remote attackers can derive valid administrative or root credentials simply by knowing the MAC address.
This allows attackers to bypass authentication mechanisms and gain full access to the device.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can gain unauthorized administrative or root access to the affected device.
- Full device control, including configuration changes and potential disruption of services.
- Potential exposure of sensitive data stored or processed by the device.
- Use of the compromised device as a foothold for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know