Description
OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
References (3)
Core 3
Core References
Various Sources third-party-advisory
https://fluidattacks.com/advisories/bacalao
Various Sources product
related
https://www.calix.com
Various Sources third-party-advisory
https://revers3everything.com/calix-case-five-0-days-five-cves/
Scores
CVSS v4
8.5
EPSS
0.0082
EPSS Percentile
52.4%
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (4)
Calix/GigaCenter ONT
844E
Calix/GigaCenter ONT
844G
Calix/GigaCenter ONT
844GE
Calix/GigaCenter ONT
854GE
Published
Sep 09, 2025
Tracked Since
Feb 18, 2026