Cyber Posture

CVE-2025-67114

Critical

Published: 19 March 2026

Published
19 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 64.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass and full device access.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Mandates secure authenticator management with sufficient strength of mechanism and procedures to prevent predictable generation from device attributes like the MAC address.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of flaws such as the deterministic credential algorithm via firmware upgrades.

CM-6 Configuration Settings partial match
prevent

Enforces secure baseline configuration settings to mitigate vulnerabilities from default or weak firmware credential mechanisms.

Security SummaryAI

CVE-2025-67114 involves the use of a deterministic credential generation algorithm in the /ftl/bin/calc_f2 component of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware versions before DG3934v3@2308041842. This vulnerability, tracked under CWE-1391, enables attackers to derive valid administrative and root credentials directly from the device's MAC address, bypassing standard authentication mechanisms.

Remote attackers can exploit this issue with no required privileges, user interaction, or special access, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By obtaining the device's MAC address—potentially through network discovery or public sources—attackers can locally compute the corresponding credentials and authenticate to gain full administrative and root access to the device.

Firmware versions prior to DG3934v3@2308041842 are affected, with upgrading to DG3934v3@2308041842 or later serving as the primary mitigation. Additional details appear in the FCC report at https://fcc.report/FCC-ID/P27-SCE4255W/4790935.pdf, the FreedomFi website at https://freedomfi.com/index.html, and a NeroTeam blog post at https://neroteam.com/blog/freedomfi-sercomm-sce4255w-englewood.

Details

CWE(s)
CWE-1391

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The vulnerability uses a deterministic algorithm to generate administrative and root credentials from the device's MAC address, directly enabling adversaries to use default accounts (T1078.001) for remote unauthorized access without privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References