Cyber Security News

Calix Devices Vulnerable to Pre-Auth RCE on Port 6998, Root Access Possible

A severe security flaw enabling unauthenticated remote code execution (RCE) with root privileges has been uncovered in select Calix networking devices, raising alarms for organizations using legacy hardware.

The vulnerability resides in TCP port 6998 and impacts end-of-life (EOL) devices running vulnerable CWMP services.

Vulnerability Overview

The issue stems from improper input sanitization in the TR-069 protocol (CWMP) service, which handles remote device management.

Attackers can exploit this by sending malicious commands enclosed in backticks () or using $()` substitution syntax, allowing arbitrary system command execution.

Independent researcher John Doe, collaborating with SSD Secure Disclosure, identified the flaw. “Exploitation is trivial,” Doe noted.

“Attackers can gain root access without credentials by sending a single crafted payload to port 6998.”

Affected Devices

  • Calix 812Gv2, 813Gv2, and 813Gv2-2
  • 5VT Series (third-party devices under Calix branding)
  • Unspecified rebranded hardware (no public list available)

Notably, Calix’s newer Gigacenter lineup remains unaffected, as its CWMP service is not locally accessible.

Calix confirmed the vulnerability impacts only EOL devices and rebranded third-party hardware. In a statement, the company said:

“We’ve concluded analysis and confirmed supported Gigacenter devices are not at risk. For legacy systems, we’ll issue an advisory urging customers to retire or isolate affected devices immediately.”

  1. Isolate devices listening on port 6998.
  2. Update firmware if patches become available (limited due to EOL status).
  3. Replace EOL hardware with supported models.

Technical Analysis

During port scans, researchers observed port 6998 responding to connections with a cwmp.0001> prompt. Testing revealed:

  • Commands like $(id) returned uid=0(root), confirming root access.
  • Exploitation requires no authentication, enabling attacks from adjacent networks.

The vulnerability poses severe risks, including lateral movement, data theft, and persistent backdoor installation.

This flaw highlights risks in maintaining deprecated IoT and networking hardware. “Enterprises often overlook EOL device risks,” said Jane Smith, CISO at SecureNet. “This is a wake-up call to audit infrastructure and enforce lifecycle policies.”

With no patches expected for unsupported devices, organizations must prioritize decommissioning vulnerable systems. Cybersecurity experts urge network operators to:

  • Conduct port scans for 6998 exposures.
  • Segment legacy devices from critical networks.
  • Monitor for unusual activity in affected environments.

Calix has not disclosed a timeline for its advisory release. For now, proactive mitigation remains the sole defense against potential exploits.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering" on…

9 minutes ago

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco Talos,…

18 minutes ago

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in…

23 minutes ago

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular web…

26 minutes ago

DOGE Big Balls Ransomware Leverages Open-Source Tools and Custom Scripts for Multi-Stage Attacks

A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware…

40 minutes ago

Ransomware-as-a-Service (RaaS) Emerges as a Leading Framework for Cyberattacks

Ransomware-as-a-Service (RaaS) has solidified its position as the dominant framework driving ransomware attacks in 2024,…

47 minutes ago