CVE-2025-63353 identifies a critical security vulnerability in the FiberHome GPON ONU HG6145F1 RP4423 model, where the factory default Wi-Fi password (WPA/WPA2 pre-shared key) is generated using a deterministic algorithm derived from the device's SSID. This design flaw means that an attacker who can observe the SSID broadcast by the device can predict the default Wi-Fi password without needing any authentication or user interaction. The vulnerability arises from improper credential management (CWE-284), where the default credentials are not randomized or unique per device but instead algorithmically linked to the SSID. This allows for straightforward offline password prediction attacks, enabling unauthorized network access. Once connected, an attacker could intercept sensitive data, manipulate network traffic, or disrupt network availability. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability, with no privileges or user interaction required and network attack vector. No patches or firmware updates have been published yet, and no active exploitation has been reported. The affected device is commonly deployed in fiber-optic broadband networks, particularly in regions where FiberHome equipment is widely used.

For European organizations, this vulnerability poses a significant risk to network security, especially for ISPs, enterprises, and residential users relying on FiberHome GPON ONU HG6145F1 RP4423 devices. Unauthorized access to Wi-Fi networks can lead to data breaches, interception of sensitive communications, lateral movement within internal networks, and potential disruption of services. Critical infrastructure sectors using these devices for broadband connectivity could face operational disruptions or espionage risks. The ease of exploitation—requiring only observation of the SSID—means attackers can quickly compromise networks without physical access or complex attack vectors. This could undermine trust in service providers and lead to regulatory penalties under GDPR if personal data is exposed. The lack of available patches increases the urgency for organizations to implement compensating controls to protect their networks.

1. Immediately audit networks to identify FiberHome GPON ONU HG6145F1 RP4423 devices and assess exposure. 2. Where possible, replace vulnerable devices with models that do not use deterministic default passwords or that support secure credential management. 3. Disable or change default Wi-Fi credentials manually to strong, unique passwords that are not derivable from the SSID. 4. Implement network segmentation to isolate vulnerable devices from critical internal systems and sensitive data. 5. Use strong encryption and VPNs for sensitive communications over Wi-Fi networks. 6. Monitor network traffic for unauthorized access attempts or unusual activity originating from Wi-Fi connections. 7. Engage with ISPs and FiberHome vendors to demand firmware updates or patches addressing this vulnerability. 8. Educate users and administrators about the risks of default credentials and the importance of changing them. 9. Apply strict access control policies and consider disabling Wi-Fi SSID broadcast if feasible to reduce exposure. 10. Maintain up-to-date asset inventories and vulnerability management processes to quickly respond to emerging threats.