Share
## https://sploitus.com/exploit?id=38BEC4C9-4C8D-5ACB-912D-D3874B1A408E
# CVE-2025-63353 PoC - FiberHome HG6145F1 Predictable Default Wi-Fi PSK

[![CVE](https://img.shields.io/badge/CVE-2025--63353-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)
[![CVSS](https://img.shields.io/badge/CVSS-9.8_Critical-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)
[![CWE](https://img.shields.io/badge/CWE-284-orange.svg)](https://cwe.mitre.org/data/definitions/284.html)
[![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)

> Educational research toolkit and multi-language PoC for **CVE-2025-63353**, a critical predictable-default-PSK vulnerability affecting FiberHome HG6145F1 RP4423 GPON ONT devices.

## Summary

The factory default Wi-Fi pre-shared key on affected FiberHome HG6145F1 devices is a deterministic function of the broadcast SSID. An attacker observing a beacon frame from a vulnerable device can derive the WPA2 PSK in constant time with no captured handshake, no wordlist, no GPU, and no client interaction.

For a device broadcasting SSID `fh_`, the default PSK is:

```
PSK = "wlan" + hex(0xFFFFFF XOR hex_a)
```

**Example:** `fh_a1f9d1` โ†’ `wlan5e062e`

The effective per-device keyspace is **1**. The population-wide keyspace across all HG6145F1 deployments is at most **2ยฒโด โ‰ˆ 16.7 million** (SSID, PSK) pairs and since the SSID is broadcast, the SSID-to-PSK mapping is one-to-one.

## Credits

This work is built entirely on the original vulnerability research and disclosure by **Hani Anis Bouzid**:

- **Original disclosure:** [Medium write-up](https://medium.com/@hanianis.bouzid/fiberhome-gpon-onu-model-hg6145f1-router-predictable-wifi-passwords-and-real-risks-d8e54da385d3)
- **Original PoC:** [github.com/hanianis/CVE-2025-63353](https://github.com/hanianis/CVE-2025-63353)
- **CVE Record:** [CVE-2025-63353](https://nvd.nist.gov/vuln/detail/CVE-2025-63353)

All credit for the vulnerability discovery and initial public disclosure belongs to Hani Anis Bouzid. This repository extends the original disclosure with multi-language PoC implementations and a curated technical documentation set.

## Repository contents

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LICENSE
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ vulnerability.md          Technical analysis of the algorithm
โ”‚   โ”œโ”€โ”€ timeline.md               Disclosure chronology and vendor response
โ”‚   โ”œโ”€โ”€ affected-deployments.md   Device specifications and known deployments
โ”‚   โ”œโ”€โ”€ related-research.md       Lineage of predictable-PSK vulnerabilities
โ”‚   โ”œโ”€โ”€ references.md             Curated bibliography
โ”‚   โ””โ”€โ”€ mitigation.md             Guidance for users, ISPs, and vendors
โ””โ”€โ”€ poc/
    โ”œโ”€โ”€ python/      pure-Python implementation, no dependencies
    โ”œโ”€โ”€ go/          standalone Go binary
    โ”œโ”€โ”€ javascript/  browser-friendly JS / Node.js
    โ””โ”€โ”€ c/           portable single-file ANSI C (compiles anywhere)
```

## Quick start

```bash
# Python
python3 poc/python/fh-poc.py fh_a1f9d1
# wlan5e062e

# Go
cd poc/go && go run fh-poc.go fh_a1f9d1
# wlan5e062e

# JavaScript (Node)
node poc/javascript/fh-poc.js fh_a1f9d1
# wlan5e062e

# C
cc poc/c/fh-poc.c -o fh-poc && ./fh_psk fh_a1f9d1
# wlan5e062e
```

All four implementations are independently written, dependency-free, and produce identical output. Use whichever matches your environment.

## Affected devices

| Field | Value |
|---|---|
| Vendor | FiberHome (Wuhan FiberHome International Technologies) |
| Model | HG6145F1 |
| Firmware | RP4423 |
| Device type | GPON ONT, Wi-Fi 6 (802.11ax), dual-band 2.4/5 GHz |
| Standards | ITU-T G.984 Class B+, IEEE 802.11 a/b/g/n/ac/ax |

The vulnerability is currently disclosed for the HG6145F1 RP4423 firmware only. Verification across the broader HG6145 / HG6243 / HG6821 model family is an open research question. See [docs/affected-deployments.md](docs/affected-deployments.md).

## Mitigation

**For end users of an HG6145F1:**
1. Change the default Wi-Fi PSK to a randomly generated 16+ character passphrase immediately.
2. Disable WPS.
3. If your ISP controls firmware updates, ask whether a patched firmware is available.

See [docs/mitigation.md](docs/mitigation.md) for guidance specific to ISPs and vendors.

## Disclaimer

This repository is published **for educational and defensive security research purposes only**. The vulnerability documented here is publicly disclosed under CVE-2025-63353 and has been assigned a critical severity rating by CISA-ADP.

Use of the code in this repository against networks you do not own or do not have explicit written authorization to test is **illegal** in most jurisdictions, including under Moroccan Law 07-03 on cybercrime, the EU Computer Misuse frameworks, the US Computer Fraud and Abuse Act, and equivalent legislation elsewhere. The authors accept no responsibility for unauthorized use of this material.

## References

A complete bibliography of primary sources, related vulnerabilities, and academic literature is maintained in [docs/references.md](docs/references.md).

## Contributing

Verified test results against additional FiberHome models, firmware versions, or ISP-customized variants are welcome via pull request to `docs/affected-deployments.md`. Please include firmware version, device label SSID prefix, and method of verification.

## Author

**Ayman Wadi** โ€” Security Engineer

Built around an upcoming conference talk on the evolution of wireless attacks, the WPA3 transition, and the security of ISP-supplied CPE in the MENA region.