CVE-2025-63353 Overview
A critical vulnerability exists in the FiberHome GPON ONU HG6145F1 RP4423 router that allows attackers to predict the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) directly from the broadcasted SSID. The device uses a deterministic algorithm to generate default passwords, creating a direct mathematical relationship between the SSID and the router passphrase. This enables any attacker within Wi-Fi range who can observe the SSID to calculate the default password without requiring any authentication or user interaction.
Critical Impact
Attackers can gain unauthorized wireless network access to any FiberHome HG6145F1 router using factory default credentials by simply observing the broadcast SSID, potentially compromising all devices on the network.
Affected Products
- FiberHome HG6145F1 Firmware version RP4423
- FiberHome HG6145F1 Hardware
Discovery Timeline
- 2025-11-12 - CVE-2025-63353 published to NVD
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2025-63353
Vulnerability Analysis
This vulnerability stems from a fundamental cryptographic weakness in the FiberHome HG6145F1's password generation mechanism. Rather than using a secure random number generator to create unique, unpredictable default Wi-Fi passwords, the router firmware implements a deterministic algorithm that derives the WPA/WPA2 pre-shared key directly from the SSID.
The weakness is classified under CWE-284 (Improper Access Control), as the predictable credential generation effectively bypasses the access control intended by WPA/WPA2 authentication. Since the SSID is broadcast in plaintext by default and can be observed by any device within wireless range, the security of the default password is completely undermined.
This type of vulnerability is particularly dangerous in GPON (Gigabit Passive Optical Network) deployments where ISPs often deploy large numbers of identical router models with factory default configurations. End users frequently do not change default credentials, leaving entire deployments vulnerable to mass exploitation.
Root Cause
The root cause of this vulnerability is the use of a deterministic algorithm for generating default Wi-Fi passwords during device manufacturing or firmware initialization. Instead of implementing a cryptographically secure random password generator or storing unique, randomly-generated credentials in device firmware, the FiberHome HG6145F1 uses the SSID as a seed value to derive the password.
This design decision likely simplified manufacturing and provisioning processes but created a severe security weakness. Once the algorithm is reverse-engineered, every device using factory defaults becomes vulnerable regardless of when or where it was deployed.
Attack Vector
The attack can be executed remotely over the network by any attacker within Wi-Fi range of the target device. The attack requires:
- Passive SSID observation - The attacker scans for wireless networks and identifies FiberHome HG6145F1 routers by their characteristic SSID pattern
- Password derivation - Using the known algorithm, the attacker calculates the default password from the observed SSID
- Network access - The attacker connects to the wireless network using the derived credentials
The attack requires no privileges, no user interaction, and can be performed against any FiberHome HG6145F1 router still using factory default credentials. Technical details and proof-of-concept code demonstrating this vulnerability are available at the GitHub PoC Repository and the Medium Blog Post on Router Vulnerabilities.
Detection Methods for CVE-2025-63353
Indicators of Compromise
- Unauthorized devices appearing on the wireless network that cannot be attributed to known users
- Unexpected network traffic patterns or bandwidth consumption from unknown MAC addresses
- Authentication logs showing successful Wi-Fi connections from unrecognized devices
- Signs of lateral movement or reconnaissance activity originating from wireless network segments
Detection Strategies
- Implement wireless intrusion detection systems (WIDS) to monitor for unauthorized client associations
- Regularly audit connected devices on wireless networks against a known inventory baseline
- Monitor for multiple rapid authentication attempts from different MAC addresses
- Deploy network access control (NAC) solutions to enforce device authentication beyond Wi-Fi credentials
Monitoring Recommendations
- Enable and centralize logging for all wireless access point authentication events
- Set up alerts for new device connections to networks containing FiberHome HG6145F1 routers
- Monitor for unusual outbound traffic patterns that could indicate post-compromise data exfiltration
- Conduct periodic wireless security assessments to identify vulnerable devices in the environment
How to Mitigate CVE-2025-63353
Immediate Actions Required
- Change the default Wi-Fi password immediately on all FiberHome HG6145F1 devices to a strong, randomly-generated passphrase
- Audit your network inventory to identify all FiberHome HG6145F1 routers deployed in your environment
- Review wireless network logs for any signs of unauthorized access that may have occurred prior to remediation
- Consider implementing WPA3 if supported, or ensure WPA2 is configured with a strong, unique password
Patch Information
As of the last update on 2025-12-31, no vendor patch or firmware update has been released by FiberHome to address this vulnerability. The primary mitigation remains changing the default Wi-Fi password to a strong, unique value that cannot be derived from the SSID. Organizations should monitor FiberHome for any future security advisories or firmware updates addressing this issue.
Workarounds
- Manually configure a strong, unique Wi-Fi password (minimum 16 characters with mixed case, numbers, and symbols) on all affected devices
- Disable SSID broadcast if operationally feasible to reduce passive reconnaissance capability
- Implement MAC address filtering as an additional layer of access control (note: this can be bypassed by determined attackers)
- Segment wireless networks containing vulnerable devices from critical infrastructure
- Consider replacing affected devices with routers that use secure random password generation
# Configuration example
# Access the router administration interface and navigate to wireless settings
# Change the default SSID to a non-identifying name
# Set a strong, unique WPA2/WPA3 password (example generation):
openssl rand -base64 24
# Example output: Xa9Kp2mNq7RtYw3ZcH8vLf5jBs
# Use this as your new Wi-Fi password and document it securely
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
