CVE-2025-54083 is a vulnerability identified in the Calix GigaCenter Optical Network Terminal (ONT) devices, specifically models 844E, 844G, 844GE, and 854GE, which utilize Quantenna SoC modules. The vulnerability is classified under CWE-922, indicating insecure storage of sensitive information. This flaw allows unauthorized attackers to gain administrative access to the web interface of the affected ONT devices without requiring authentication or user interaction. The root cause is the improper handling and storage of sensitive data within the device, which can be extracted or accessed by an attacker with network-level access (as indicated by the CVSS vector AV:P - Physical Access). The vulnerability does not require privileges or user interaction, making it easier to exploit if an attacker can reach the device. The CVSS 4.0 base score is 5.1, categorized as medium severity, primarily due to the limited attack vector (physical access) but high impact on confidentiality since admin credentials or sensitive configuration data can be exposed. The exploit could lead to full administrative control over the ONT device, allowing attackers to manipulate network traffic, intercept communications, or disrupt service. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that affected organizations should prioritize monitoring and mitigation.

For European organizations, this vulnerability poses a significant risk especially for Internet Service Providers (ISPs), telecommunications companies, and enterprises deploying Calix GigaCenter ONT devices for fiber broadband access. Compromise of ONT devices can lead to unauthorized network access, interception of sensitive data, and potential disruption of internet services for end-users. Given the critical role of ONTs in last-mile connectivity, exploitation could affect confidentiality and availability of network services. This is particularly concerning for sectors relying on secure and stable internet connectivity such as finance, healthcare, and government services. Additionally, the exposure of administrative interfaces could facilitate lateral movement within networks or be leveraged for further attacks. The physical access requirement somewhat limits remote exploitation, but insider threats or attackers with physical proximity could exploit this vulnerability. The lack of patches increases the urgency for organizations to implement compensating controls to prevent exploitation.

1. Physical Security: Strengthen physical security controls around ONT devices to prevent unauthorized physical access. This includes secure installation locations and tamper-evident seals. 2. Network Segmentation: Isolate ONT management interfaces on separate VLANs or management networks inaccessible from general user networks to limit exposure. 3. Access Controls: Implement strict access control policies and monitor access logs for suspicious activity related to ONT devices. 4. Firmware Updates: Regularly check with Calix for firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Device Replacement: For high-risk environments, consider replacing affected ONT models with devices not impacted by this vulnerability. 6. Monitoring and Detection: Deploy network monitoring to detect unusual traffic patterns or unauthorized access attempts to ONT management interfaces. 7. Vendor Engagement: Engage with Calix support to obtain guidance and timelines for remediation and to report any suspicious activity.