{"cve":{"cve_id":"CVE-2025-54084","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00818,"epss_percentile":0.52394,"epss_as_of":"2026-06-23","description":"OS Command ('OS Command Injection') vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows authenticated attackers with 'super' user credentials to execute arbitrary OS commands through improper input validation, potentially leading to full system compromise.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.","published_at":"2025-09-09T20:37:28.023000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":8.5,"cvss_v4_vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","cvss_v4_severity":"HIGH","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-78"],"nvd_references":["https://fluidattacks.com/advisories/bacalao","https://www.calix.com","https://revers3everything.com/calix-case-five-0-days-five-cves/"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:27:33.172428Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"A","value_label":"Adjacent"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"H","value_label":"High"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"H","value_label":"High"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"N","value_label":"None"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"calix","vendor_name":"Calix","product_slug":"gigacenter-ont","product_name":"GigaCenter ONT","version_start":"844E","version_start_inclusive":true,"version_end":"844E","version_end_inclusive":true,"cpe23_uri":"cve5:calix:gigacenter-ont:844E:844E"},{"vendor_slug":"calix","vendor_name":"Calix","product_slug":"gigacenter-ont","product_name":"GigaCenter ONT","version_start":"844G","version_start_inclusive":true,"version_end":"844G","version_end_inclusive":true,"cpe23_uri":"cve5:calix:gigacenter-ont:844G:844G"},{"vendor_slug":"calix","vendor_name":"Calix","product_slug":"gigacenter-ont","product_name":"GigaCenter ONT","version_start":"844GE","version_start_inclusive":true,"version_end":"844GE","version_end_inclusive":true,"cpe23_uri":"cve5:calix:gigacenter-ont:844GE:844GE"},{"vendor_slug":"calix","vendor_name":"Calix","product_slug":"gigacenter-ont","product_name":"GigaCenter ONT","version_start":"854GE","version_start_inclusive":true,"version_end":"854GE","version_end_inclusive":true,"cpe23_uri":"cve5:calix:gigacenter-ont:854GE:854GE"}],"exploit_refs":[],"news":[],"references":[{"url":"https://fluidattacks.com/advisories/bacalao","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://www.calix.com","source_type":"MISC","tags":[]},{"url":"https://revers3everything.com/calix-case-five-0-days-five-cves/","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2025-09-09T20:37:28.023000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:47:42.774556Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:47:42.774556Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:47:42.774556Z","label":"CVSS score revised","source":"cvelistv5"}]}