{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54084", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-07-16T15:11:01.685Z", "datePublished": "2025-09-09T20:37:28.023Z", "dateUpdated": "2025-09-12T13:59:00.965Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Quantenna SoC"], "product": "GigaCenter ONT", "vendor": "Calix", "versions": [{"status": "affected", "version": "844E", "versionType": "custom"}, {"status": "affected", "version": "844G", "versionType": "custom"}, {"status": "affected", "version": "844GE", "versionType": "custom"}, {"status": "affected", "version": "854GE", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:calix:gigacenter_ont:844e:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:844g:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:844ge:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:854ge:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules)&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.</span><p>This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.</p>"}], "value": "OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules)\u00a0allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-09-12T13:59:00.965Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/bacalao"}, {"tags": ["product", "related"], "url": "https://www.calix.com"}, {"tags": ["third-party-advisory"], "url": "https://revers3everything.com/calix-case-five-0-days-five-cves/"}], "source": {"discovery": "UNKNOWN"}, "title": "Calix Gigacenter ONT - Command Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://fluidattacks.com/advisories/bacalao", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T15:55:26.837997Z", "id": "CVE-2025-54084", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T15:55:56.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54084", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-10T15:55:26.837997Z"}}}], "references": [{"url": "https://fluidattacks.com/advisories/bacalao", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T15:55:28.900Z"}}], "cna": {"title": "Calix Gigacenter ONT - Command Injection", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Calix", "modules": ["Quantenna SoC"], "product": "GigaCenter ONT", "versions": [{"status": "affected", "version": "844E", "versionType": "custom"}, {"status": "affected", "version": "844G", "versionType": "custom"}, {"status": "affected", "version": "844GE", "versionType": "custom"}, {"status": "affected", "version": "854GE", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/bacalao", "tags": ["third-party-advisory"]}, {"url": "https://www.calix.com", "tags": ["product", "related"]}, {"url": "https://revers3everything.com/calix-case-five-0-days-five-cves/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules)\u00a0allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.", "supportingMedia": [{"type": "text/html", "value": "OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules)&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.</span><p>This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:calix:gigacenter_ont:844e:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:844g:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:844ge:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:calix:gigacenter_ont:854ge:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-09-12T13:59:00.965Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54084", "state": "PUBLISHED", "dateUpdated": "2025-09-12T13:59:00.965Z", "dateReserved": "2025-07-16T15:11:01.685Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2025-09-09T20:37:28.023Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules)\u00a0allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE."}], "id": "CVE-2025-54084", "lastModified": "2025-09-12T14:15:41.363", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-09-09T21:15:36.657", "references": [{"source": "[email protected]", "url": "https://fluidattacks.com/advisories/bacalao"}, {"source": "[email protected]", "url": "https://revers3everything.com/calix-case-five-0-days-five-cves/"}, {"source": "[email protected]", "url": "https://www.calix.com"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://fluidattacks.com/advisories/bacalao"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "[email protected]", "type": "Secondary"}]}

{}