CVE-2025-3461
📋 TL;DR
Quantenna Wi-Fi chips have an unauthenticated telnet interface enabled by default, allowing attackers to remotely access and control affected devices without credentials. This affects all systems using Quantenna Wi-Fi chipsets through SDK version 8.0.0.28. Device manufacturers implementing these chipsets and end users of affected devices are vulnerable.
💻 Affected Systems
- Quantenna Wi-Fi chipsets
- Devices using Quantenna Wi-Fi technology
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of affected devices allowing remote code execution, configuration changes, network traffic interception, and lateral movement within networks.
Likely Case
Unauthorized access to device management interfaces leading to configuration tampering, service disruption, and potential credential harvesting.
If Mitigated
Limited impact if telnet interface is disabled or network access is restricted, though underlying vulnerability remains.
🎯 Exploit Status
Simple telnet connection to port 23 on affected devices provides immediate access. No special tools or techniques required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://community.onsemi.com/s/article/QCS-Quantenna-Wi-Fi-product-support-and-security-best-practices
Restart Required: No
Instructions:
No official patch exists. Follow vendor best practices guide and implement workarounds.
🔧 Temporary Workarounds
Disable telnet service
allDisable the telnet interface on affected devices through configuration
telnet_disable
no telnet enable
service telnet disable
Network access control
allRestrict network access to telnet port (23) using firewall rules
iptables -A INPUT -p tcp --dport 23 -j DROP
netsh advfirewall firewall add rule name="Block Telnet" dir=in action=block protocol=TCP localport=23
🧯 If You Can't Patch
- Segment affected devices on isolated network segments
- Implement strict network monitoring for telnet connections to affected devices
🔍 How to Verify
Check if Vulnerable:
Attempt telnet connection to port 23 on affected device IP addresses. If connection succeeds without authentication, device is vulnerable.Check Version:
Check device firmware version or consult manufacturer documentation for Quantenna SDK versionVerify Fix Applied:
Verify telnet service is disabled by attempting connection to port 23 and confirming connection fails.📡 Detection & Monitoring
Log Indicators:
- Successful telnet connections without authentication
- Configuration changes from unknown sources
- Telnet service startup logs
Network Indicators:
- Unexpected telnet traffic to port 23
- Telnet connections from unauthorized IP addresses
SIEM Query:
source_port=23 AND (event_type="connection_successful" OR event_type="authentication_success")