CVE-2025-67114 - Vulnerability Details

- Deterministic Credential Generation Exposes Administrative Credentials in Sercomm SCE4255W Small Cell

Description

Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass and full device access.

Published: 2026-03-19

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A deterministic credential generation routine located in /ftl/bin/calc_f2 of the FreedomFi Englewood Sercomm SCE4255W small cell firmware allows an attacker to compute valid administrative or root credentials from the device's MAC address. This flaw enables an unauthenticated remote attacker to bypass the authentication mechanism and obtain unrestricted control over the device, representing a critical security weakness identified by CWE-1391. The high CVSS score of 9.8 indicates that the vulnerability can be exploited with minimal effort and yields complete device compromise.

Affected Systems

The vulnerability affects the Sercomm SCE4255W small cell (FreedomFi Englewood) running firmware versions prior to DG3934v3@2308041842. Users should verify their firmware version and ensure it is updated to the latest release that eliminates the deterministic credential generation logic.

Risk and Exploitability

With a CVSS score of 9.8 the risk to any affected device is severe. Although the EPSS score is below 1% and the flaw is not listed in CISA's KEV catalog, the exploitation pathway—remote authentication bypass via credential derivation from a public MAC address—is straightforward. An attacker only needs to identify a target device’s MAC address, calculate the administrative credentials using the disclosed algorithm, and then authenticate to gain full device access. The flaw remains exploitable until the firmware is updated or remote management is otherwise disabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Freedomfi

Sercomm Sce4255w

85%

Version	Status	Scheme	Platform
`[0,DG3934v3@2308041842)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the SCE4255W firmware to version DG3934v3 or newer which removes the deterministic credential generation routine.
If a firmware update is unavailable, block external access to any remote management interfaces on the device or restrict management traffic to trusted networks.
Monitor device logs for repeated authentication attempts and legitimate login activity to detect suspicious use of derived credentials.

Generated by OpenCVE AI on March 24, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00464.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://fcc.report/FCC-ID/P27-SCE4255W/4790935.pdf
https://freedomfi.com/index.html
https://neroteam.com/blog/freedomfi-sercomm-sce4255w-englewood

History

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Title		Deterministic Credential Generation Exposes Administrative Credentials in Sercomm SCE4255W Small Cell

Tue, 24 Mar 2026 02:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1391
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freedomfi Freedomfi sercomm Sce4255w
Vendors & Products		Freedomfi Freedomfi sercomm Sce4255w

Thu, 19 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass and full device access.
References		https://fcc.report/FCC-ID/P27-SCE4255W/4790935.pdf https://freedomfi.com/index.html https://neroteam.com/blog/freedomfi-sercomm-sce4255w-englewood

Subscriptions

Freedomfi Sercomm Sce4255w

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-19T00:00:00.000Z

Updated: 2026-03-24T01:23:37.027Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67114

Vulnrichment

Updated: 2026-03-24T01:23:32.552Z

NVD

Status : Awaiting Analysis

Published: 2026-03-19T18:16:15.713

Modified: 2026-03-24T02:16:03.830

Link: CVE-2025-67114

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T11:51:41Z

Weaknesses

CWE-1391

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object