The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67112

CVE-2025-67112: Sercomm SCE4255W Privilege Escalation

CVE-2025-67112 is a privilege escalation vulnerability in Sercomm SCE4255W firmware caused by hard-coded encryption keys. Attackers can manipulate device configurations and credentials. This article covers affected versions, impact, and mitigation.

Published: March 20, 2026

CVE-2025-67112 Overview

CVE-2025-67112 is a cryptographic vulnerability affecting the Sercomm SCE4255W (FreedomFi Englewood) small cell device. The firmware contains a hard-coded AES-256-CBC encryption key within the configuration backup and restore implementation. Remote authenticated users can exploit this weakness to decrypt device configuration backups, modify sensitive settings including credentials, re-encrypt the configuration, and import it back into the device via the GUI import/export functions—resulting in credential manipulation and privilege escalation.

Critical Impact

Authenticated attackers can fully compromise device configurations by exploiting the hard-coded encryption key, enabling credential theft, unauthorized privilege escalation, and complete device takeover.

Affected Products

  • Sercomm SCE4255W (FreedomFi Englewood) firmware versions before DG3934v3@2308041842

Discovery Timeline

  • 2026-03-19 - CVE CVE-2025-67112 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2025-67112

Vulnerability Analysis

This vulnerability stems from a fundamental cryptographic implementation flaw in the Sercomm SCE4255W firmware. The device uses AES-256-CBC encryption to protect configuration backup files that can be exported and imported through the web-based GUI. However, the encryption key used to protect these configuration files is hard-coded directly into the firmware, making it extractable through firmware analysis.

Once an attacker obtains the hard-coded key, they can decrypt any configuration backup exported from the device. The decrypted configuration contains sensitive information including administrative credentials, network settings, and device parameters. An attacker can modify these values—such as changing administrator passwords or elevating user privileges—then re-encrypt the configuration using the same hard-coded key and import it back into the device through the standard GUI interface.

This attack requires authenticated access to the device's web interface to export and import configuration files, but the authentication level required may be minimal depending on the device's access control configuration.

Root Cause

The root cause of this vulnerability is the use of hard-coded cryptographic material (CWE-321: Use of Hard-coded Cryptographic Key). The firmware developers embedded a static AES-256-CBC key directly in the firmware binary rather than implementing proper key derivation mechanisms or unique per-device keys. This design flaw means all devices running vulnerable firmware versions share the same encryption key, and once extracted, the key can be used to compromise any affected device.

Attack Vector

The attack vector requires an authenticated user with access to the device's web-based management GUI. The exploitation flow involves:

  1. Exporting a configuration backup through the GUI export function
  2. Extracting the hard-coded AES-256-CBC key from the firmware (one-time effort applicable to all devices)
  3. Decrypting the configuration backup using the extracted key
  4. Modifying sensitive parameters such as credentials or privilege levels
  5. Re-encrypting the modified configuration with the same key
  6. Importing the malicious configuration through the GUI import function

The vulnerability mechanism relies on the predictable nature of the hard-coded key. Because all devices running the vulnerable firmware use the same static key, an attacker who has analyzed the firmware once can decrypt and manipulate configurations from any device running that firmware version. Technical details regarding the specific key extraction methodology can be found in the Nero Team blog post.

Detection Methods for CVE-2025-67112

Indicators of Compromise

  • Unexpected configuration changes on the device, particularly to administrative credentials or user privilege levels
  • Configuration import events in device logs from unexpected sources or at unusual times
  • Multiple configuration export operations followed by import operations within a short timeframe
  • Unauthorized administrative accounts appearing on the device

Detection Strategies

  • Monitor device audit logs for configuration import/export activities and correlate with authorized change windows
  • Implement network monitoring to detect unusual traffic to the device management interface
  • Establish baseline configurations and perform periodic integrity checks to identify unauthorized modifications
  • Review user account listings on devices for unauthorized privilege escalations or new administrative accounts

Monitoring Recommendations

  • Enable verbose logging on device management interfaces and forward logs to a centralized SIEM
  • Configure alerts for any configuration changes outside of scheduled maintenance windows
  • Implement network segmentation to restrict access to device management interfaces
  • Monitor for firmware analysis activities on your network that could indicate attackers preparing to extract the hard-coded key

How to Mitigate CVE-2025-67112

Immediate Actions Required

  • Update affected Sercomm SCE4255W devices to firmware version DG3934v3@2308041842 or later
  • Restrict network access to the device management GUI to trusted administrative networks only
  • Review and rotate all credentials stored on affected devices after patching
  • Audit configuration history for any unauthorized changes that may have been made prior to patching

Patch Information

The vulnerability is addressed in firmware version DG3934v3@2308041842 and later. Organizations should obtain the updated firmware from FreedomFi or through their authorized distribution channels. Additional device information can be found in the FCC Report Document.

Workarounds

  • Implement strict network access controls to limit which systems can access the device management interface
  • Disable or restrict configuration export/import functionality if not operationally required
  • Deploy network monitoring to detect and alert on configuration file transfers to/from the device
  • Consider isolating affected devices on a dedicated management VLAN with enhanced monitoring until patching is complete
bash
# Network segmentation example - restrict management access
# Example iptables rules to limit access to device management interface
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechFreedomfi
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • FCC Report Document
  • Freedom Fi Homepage
  • Nero Team Blog Post
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English