CVE-2025-63292

Nov. 18, 2025, 5:16 p.m.

3.5
Low

Description

Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.

Product(s) Impacted

Vendor Product Versions
Free
  • Freebox V5 Hd
  • Freebox V5 Crystal
  • Freebox V6 Revolution
  • Freebox Mini 4k
  • Freebox One
  • *
  • *
  • *
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a free freebox_v5_hd / 1.7.20 / / / / / /
a free freebox_v5_crystal / 1.7.20 / / / / / /
a free freebox_v6_revolution / 4.7.* / / / / / /
a free freebox_mini_4k / 4.7.* / / / / / /
a free freebox_one / 4.7.* / / / / / /

References

https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/
https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md

Tags

cve@mitre.org
CWE-319
2025-11-17
CVE-2025-63292

CVSS Score

3.5 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Nov. 17, 2025, 7:16 p.m.
Last Modified: Nov. 18, 2025, 5:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.