CVE-2025-54083 is a medium-severity vulnerability classified under CWE-922 (Insecure Storage of Sensitive Information) affecting Calix GigaCenter Optical Network Terminals (ONTs), specifically models 844E, 844G, 844GE, and 854GE. These devices incorporate Quantenna SoC modules and serve as critical network endpoints for broadband connectivity, often deployed by ISPs and enterprises. The vulnerability arises from improper storage of sensitive information within the device, which can be exploited by an attacker with network-level access (as indicated by the CVSS vector AV:P - Physical or local network access required). Exploiting this flaw allows an attacker to gain administrative access to the web interface of the ONT without authentication, thereby compromising device management controls. This unauthorized access could enable attackers to alter configurations, intercept or redirect traffic, or use the device as a pivot point for further network intrusion. The vulnerability does not require user interaction or privileges and does not affect confidentiality or integrity of data beyond the device management interface itself, but it does have a high impact on availability (VC:H) as attackers could disrupt device operation. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability was reserved in mid-2025 and published in September 2025, indicating recent discovery and disclosure. The CVSS 4.0 score of 5.1 reflects a medium risk primarily due to the requirement of local network access and lack of authentication bypass complexity.

For European organizations, this vulnerability poses a significant risk particularly to ISPs, telecommunications providers, and enterprises using Calix GigaCenter ONTs for broadband access. Unauthorized administrative access to ONTs can lead to service disruptions, interception of customer traffic, and potential lateral movement within corporate or ISP networks. This could degrade network availability and trust in service providers. Given the role of ONTs as the demarcation point between customer premises and service provider networks, exploitation could also facilitate broader attacks on subscriber data privacy and network infrastructure. The impact is heightened in critical infrastructure sectors relying on stable broadband connectivity, such as finance, healthcare, and government services. Although exploitation requires local network access, compromised devices within an ISP’s managed network or a corporate LAN could be leveraged by attackers to escalate privileges or disrupt services. The lack of authentication for administrative access increases the risk of insider threats or attackers who gain initial footholds in the network.

To mitigate this vulnerability, European organizations should: 1) Immediately inventory and identify all Calix GigaCenter ONT models 844E, 844G, 844GE, and 854GE in their networks. 2) Restrict physical and network access to ONTs, ensuring that only trusted personnel and systems can reach the device management interfaces. 3) Implement network segmentation and access control lists (ACLs) to isolate ONT management interfaces from general user networks and the internet. 4) Monitor network traffic for unusual access patterns to ONT web interfaces, including unauthorized administrative login attempts. 5) Engage with Calix for firmware updates or patches addressing this vulnerability; if unavailable, consider temporary compensating controls such as disabling web management interfaces or changing default credentials if possible. 6) Conduct regular security audits and penetration tests focused on ONT devices to detect potential exploitation attempts. 7) Educate network administrators and support staff about the risks of insecure storage vulnerabilities and the importance of securing device management channels.