Vulnerability
sysops

A severe remote code execution (RCE) vulnerability affects certain Calix networking devices, allowing attackers to gain complete system control without authentication. 

The flaw impacts legacy devices running vulnerable CWMP (CPE WAN Management Protocol) services on TCP port 6998.

The critical vulnerability stems from improper input sanitization in the TR-069 protocol implementation. When connecting to TCP port 6998 on affected devices, attackers are greeted with a command prompt:

SSD Secure Disclosure reports that user input containing special characters such as backticks (“) or command substitution syntax ($()) is not properly sanitized, allowing arbitrary system commands to be executed with root privileges.

Calix Pre-Auth RCE on TCP Port 6998

Exploitation requires no authentication credentials, making this a particularly dangerous attack vector.

“Exploitation is very easy, just input any shell command you wish to run inside the parentheses,” noted the researcher’s report. For example:

This command executes a ping to the specified IP address with system-level permissions, confirming code execution capabilities. 

More malicious commands could establish persistent backdoors, exfiltrate sensitive data, or use the device as a launchpad for network penetration.

The independent security researcher who discovered the vulnerability worked with SSD Secure Disclosure to document and report the issue

Affected Devices

The vulnerability specifically impacts end-of-life (EOL) Calix hardware models:

812Gv2, 813Gv2, and 813Gv2-2 routers.

5VT devices developed by third parties under Calix branding.

Various rebranded devices (no comprehensive list available).

Notably, Calix’s current-generation Gigacenter devices are confirmed unaffected, as they “do not have a locally accessible CWMP (TR-069) service running,” according to the vendor’s response.

This isn’t the first serious security issue affecting Calix hardware. In 2022, researchers documented a different attack where threat actors exploited GigaCenter devices to install SOCKS proxy servers on port 8111, causing service degradation and requiring device reboots to temporarily mitigate.

Calix acknowledged the vulnerability, stating: “As the only devices with this vulnerability present appear to be these EOL rebranded systems, we will be closing this issue out. We will create an advisory for our customers who are still deploying these unsupported CPEs”.

Since affected devices are end-of-life, patches are unlikely. Security experts recommend:

Immediately identifying and decommissioning vulnerable devices.

Using network access control lists to block access to port 6998.

Isolating legacy hardware from critical network segments.

Implementing proper network segmentation to contain potential compromise.

Network administrators operating Calix infrastructure should immediately audit their deployments for exposed port 6998 services and take appropriate mitigation steps to protect against this trivially exploitable remote code execution vulnerability.

Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial

Related Posts

Google announced the release of Chrome 124, which fixes four vulnerabilities, including a critical security issue that allows attackers to execute…

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised alarms about hackers exploiting…

A critical vulnerability has been identified in SolarWinds Web Help Desk, potentially allowing attackers to execute remote code on affected…