Overview
CVE-2025-63292 describes a security vulnerability affecting several Freebox models, including Freebox v5 HD, Freebox v5 Crystal, Freebox v6 Révolution r1–r3, Freebox Mini 4K, and Freebox One. The vulnerability exposes subscribers’ International Mobile Subscriber Identity (IMSI) identifiers in plaintext over the `FreeWifi_secure` network. This exposure occurs during the initial EAP-SIM authentication phase.
Technical Details
The vulnerability lies in the implementation of EAP-SIM authentication over the `FreeWifi_secure` network. Specifically, during the EAP-Response/Identity exchange, the subscriber’s full Network Access Identifier (NAI), which contains the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. This means that an attacker within Wi-Fi range (approximately 100 meters) can passively intercept these frames. No user interaction or elevated privileges are required to capture this sensitive data.
Affected firmware versions include:
- Freebox v5 HD: Firmware 1.7.20
- Freebox v5 Crystal: Firmware 1.7.20
- Freebox v6 Révolution r1–r3: Firmware 4.7.x
- Freebox Mini 4K: Firmware 4.7.x
- Freebox One: Firmware 4.7.x
CVSS Analysis
Due to the vendor planning to deactivate the FreeWifi_secure service, a CVSS score hasn’t been assigned for this vulnerability. However, the potential impact on user privacy is significant.
Possible Impact
The disclosure of IMSI identifiers allows for several malicious activities:
- Device Tracking: Attackers can track the physical location of users based on their IMSI.
- Subscriber Correlation: The IMSI can be correlated with other data points to identify the subscriber.
- Long-Term Monitoring: User presence can be monitored over time near any Freebox device broadcasting the `FreeWifi_secure` network.
Mitigation or Patch Steps
The vendor has acknowledged the vulnerability and is planning to fully deactivate the `FreeWifi_secure` service by October 1, 2025. Until then, users are strongly advised not to connect to the `FreeWifi_secure` network.
While a patch addressing the IMSI exposure is not explicitly planned (due to the service’s planned deactivation), users should ensure their Freebox devices are running the latest available firmware releases to benefit from other security updates.
