CVE-2025-63292 is a privacy-related vulnerability found in several Freebox models, including Freebox v5 HD, v5 Crystal, v6 Révolution r1–r3, Mini 4K, and Freebox One, running specific firmware versions (1.7.20 for v5 models and 4.7.x for others). The flaw lies in the EAP-SIM authentication process used by the FreeWifi_secure network, where during the EAP-Response/Identity phase, the subscriber's full Network Access Identifier (NAI) is transmitted in plaintext. This NAI embeds the International Mobile Subscriber Identity (IMSI), a unique identifier tied to the subscriber's SIM card. Because this data is sent without encryption, tunneling, or pseudonymization, any nearby attacker within Wi-Fi range can passively intercept these frames using standard wireless sniffing tools. The attacker does not require elevated privileges or user interaction, making exploitation straightforward. The exposed IMSI can be used for device tracking, subscriber correlation across networks, and long-term monitoring of user presence near any broadcasting Freebox device. Although this vulnerability does not directly compromise device integrity or network availability, it severely impacts subscriber privacy and location confidentiality. The vendor has acknowledged the vulnerability and plans to fully deactivate the FreeWifi_secure service by October 1, 2025, as a mitigation step. No patches or firmware updates are currently indicated, and no known exploits have been reported in the wild as of the publication date.

For European organizations, especially those operating or providing services in France where Freebox devices are widely used, this vulnerability poses a significant privacy risk. The exposure of IMSI identifiers can lead to unauthorized tracking of employees, customers, or visitors using Freebox Wi-Fi networks, potentially violating GDPR and other privacy regulations. Organizations relying on Freebox devices for guest or public Wi-Fi may inadvertently expose sensitive subscriber information, undermining trust and compliance. While the vulnerability does not enable direct network intrusion or data manipulation, the ability to correlate subscriber presence and movement can facilitate targeted surveillance or profiling. This risk is particularly acute for organizations in sectors requiring strong privacy protections, such as healthcare, finance, and government. Additionally, the passive nature of the attack and lack of required user interaction make detection difficult, increasing the likelihood of unnoticed privacy breaches. The planned deactivation of the FreeWifi_secure service mitigates future risk but does not address existing exposures until that date.

European organizations using affected Freebox models should immediately disable or avoid using the FreeWifi_secure network to prevent IMSI exposure. Network administrators should monitor for unauthorized Wi-Fi sniffing activity in sensitive areas and consider deploying wireless intrusion detection systems (WIDS) to detect passive reconnaissance attempts. Where possible, replace affected Freebox devices with models or firmware versions that do not expose IMSI or use alternative secure Wi-Fi authentication methods that employ encryption and pseudonymization of subscriber identifiers. Organizations should also inform users about the privacy risks and encourage the use of VPNs or other encrypted communication channels when connecting to FreeWifi_secure or similar networks. Since the vendor plans to deactivate the vulnerable service by October 1, 2025, organizations should plan for this transition and verify that no residual services expose subscriber information. Finally, compliance teams should review privacy policies and ensure that any data collection or monitoring complies with GDPR and local regulations, documenting mitigation efforts and risk assessments.