CVE-2025-67112 is a critical cryptographic vulnerability found in the firmware of the Small Cell Sercomm SCE4255W (FreedomFi Englewood) device, specifically in versions before DG3934v3@2308041842. The issue arises from the use of a hard-coded AES-256-CBC encryption key within the configuration backup and restore implementation. This design flaw allows remote authenticated users to decrypt the device's configuration backups, modify sensitive settings including credentials, and then re-encrypt the configuration files using the same hard-coded key. The vulnerability is exploitable via the device's GUI import/export functions, which are typically used for configuration management. Because the key is hard-coded and identical across devices, an attacker who gains authenticated access can manipulate configurations to escalate privileges, potentially gaining full control over the device. The vulnerability is classified under CWE-321 (Use of Hard-coded Cryptographic Key), which is a well-known security anti-pattern that severely undermines cryptographic protections. The CVSS v3.1 base score of 9.8 reflects the vulnerability’s high impact on confidentiality, integrity, and availability, combined with its network attack vector and lack of required user interaction. Although no exploits have been reported in the wild yet, the vulnerability's characteristics suggest it could be leveraged for significant attacks against affected devices.

The impact of CVE-2025-67112 is substantial for organizations deploying the affected Small Cell Sercomm SCE4255W devices. Successful exploitation allows attackers to bypass cryptographic protections on configuration backups, enabling unauthorized decryption and modification of device settings. This can lead to credential theft, unauthorized privilege escalation, and full device compromise. Compromised devices could be used as entry points into broader network environments, undermining network security and potentially disrupting critical communications infrastructure. Given that these devices serve as small cell network components, their compromise could affect cellular coverage and service availability, impacting telecommunications providers and their customers. The vulnerability’s exploitation could also facilitate persistent access and lateral movement within networks, increasing the risk of data breaches and service outages. Organizations relying on these devices for network infrastructure must consider the risk of espionage, service disruption, and reputational damage.

To mitigate CVE-2025-67112, organizations should immediately upgrade affected Small Cell Sercomm SCE4255W devices to firmware version DG3934v3@2308041842 or later, where the hard-coded key issue is resolved. Until patches are applied, restrict access to the device management GUI to trusted administrators only, ideally through network segmentation and strong access controls such as VPNs and multi-factor authentication. Monitor device logs for unusual configuration export/import activities that could indicate exploitation attempts. Implement strict credential management policies and rotate any credentials stored or used in device configurations. Additionally, consider disabling the configuration backup/restore feature if it is not essential for operations. Network defenders should also conduct regular vulnerability assessments and penetration testing focused on these devices to detect potential exploitation. Finally, coordinate with the vendor for any additional security advisories and follow best practices for securing IoT and network infrastructure devices.