CVE-2025-7635 is a high-severity vulnerability affecting the Calix GigaCenter Optical Network Terminals (ONTs), specifically models 844E, 844G, 844GE, and 854GE. The vulnerability is classified under CWE-306, indicating a missing authentication for a critical function. In this case, the critical function is Telnet access to the device, which is exposed without any authentication requirements. This allows an unauthenticated attacker to gain root-level access to the affected ONTs remotely. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high impact and ease of exploitation. The vector indicates that the attack requires adjacent network access (AV:A), no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N). The impact on confidentiality, integrity, and availability is high, as the attacker can fully control the device, potentially intercepting, modifying, or disrupting network traffic. The vulnerability does not require user interaction and can be exploited remotely by anyone with network access to the device's Telnet interface. No patches or mitigations have been officially released at the time of publication, and no known exploits are currently observed in the wild. The vulnerability was reserved in mid-July 2025 and published in early September 2025, indicating recent discovery and disclosure. The Calix GigaCenter ONTs are commonly deployed by ISPs and service providers to deliver fiber broadband services, making this vulnerability critical in the context of home and business internet infrastructure.

For European organizations, this vulnerability poses a significant risk, especially for ISPs, telecommunications providers, and enterprises relying on Calix GigaCenter ONTs for fiber broadband connectivity. An attacker exploiting this vulnerability could gain root access to the ONT, allowing interception and manipulation of network traffic, disruption of internet services, or pivoting into internal networks. This could lead to data breaches, service outages, and compromise of sensitive communications. Given the critical role of ONTs in last-mile connectivity, exploitation could affect large numbers of end-users and business customers. The high confidentiality, integrity, and availability impact means that both private and public sector entities could face operational disruptions and reputational damage. Additionally, critical infrastructure sectors relying on these devices for connectivity could be targeted, raising concerns about national cybersecurity and resilience. The lack of authentication on Telnet access also increases the risk of automated scanning and exploitation by malicious actors within the local network or ISP infrastructure.

Immediate mitigation steps include disabling Telnet access on affected Calix GigaCenter ONTs if possible, or restricting Telnet access to trusted management networks only. Network segmentation should be enforced to isolate ONTs from untrusted or public networks. ISPs and organizations should monitor network traffic for unusual Telnet connection attempts and implement intrusion detection systems to alert on unauthorized access. Since no official patches are available yet, organizations should engage with Calix support for guidance and potential firmware updates. Deploying alternative secure management protocols such as SSH instead of Telnet is recommended once patches are available. Additionally, organizations should conduct audits of all deployed ONTs to identify affected models and prioritize remediation. For long-term mitigation, ISPs should consider replacing vulnerable ONTs with updated hardware that enforces strong authentication mechanisms. Security awareness for network administrators about this vulnerability and its risks is also critical to prevent exploitation.