CVE-2025-63353
Published: 12 November 2025
Summary
CVE-2025-63353 is a critical-severity Improper Access Control (CWE-284) vulnerability in Fiberhome Hg6145F1 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires managing authenticators by changing factory default passwords and ensuring they are resistant to prediction, directly preventing unauthorized Wi-Fi access from SSID-derived passphrases.
AC-18 mandates authorization and cryptographic protections for wireless access, mitigating unauthorized connections enabled by predictable default Wi-Fi passwords.
CM-6 enforces secure baseline configuration settings, including changing default Wi-Fi passwords to non-deterministic values, addressing the device's deterministic passphrase generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability uses a deterministic algorithm to generate the factory default Wi-Fi password from the SSID, enabling unauthorized access via default accounts without authentication.
NVD Description
A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the…
more
SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction.
Deeper analysisAI
CVE-2025-63353 is a vulnerability in the FiberHome GPON ONU HG6145F1 RP4423 device, published on 2025-11-12. The issue stems from a deterministic algorithm used to generate the factory default Wi-Fi password (WPA/WPA2 pre-shared key), which is directly derived from the SSID. This allows the default password to be predicted solely by observing the SSID, without requiring authentication or user interaction. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control).
Any attacker within wireless range who can observe the SSID—such as through passive Wi-Fi scanning—can compute the default passphrase and connect to the network unauthorized. Successful exploitation grants full access to the Wi-Fi network, potentially enabling further compromise of connected devices or the router itself, depending on network configuration and default credentials.
Advisories and details are available in referenced sources, including a GitHub repository at https://github.com/hanianis/CVE-2025-63353 and a Medium article at https://medium.com/@hanianis.bouzid/fiberhome-gpon-onu-model-hg6145f1-router-predictable-wifi-passwords-and-real-risks-d8e54da385d3. No specific patch or mitigation guidance is detailed in the provided information.
Details
- CWE(s)