CVE-2025-63292

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-63292
Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.

3.5 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/ Broken Link
https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:freebox:v5_hd_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:v5_hd:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:freebox:v5_crystal_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:v5_crystal:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:freebox:v6_revolution_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:v6_revolution:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:freebox:mini_4k_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:mini_4k:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:freebox:one_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:one:-:*:*:*:*:*:*:*
History

04 Feb 2026, 20:50

Type Values Removed Values Added
References () https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/ - () https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/ - Broken Link
References () https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md - () https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md - Exploit, Third Party Advisory
CPE cpe:2.3:h:freebox:v5_crystal:-:*:*:*:*:*:*:*
cpe:2.3:o:freebox:one_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:freebox:v5_hd_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:mini_4k:-:*:*:*:*:*:*:*
cpe:2.3:o:freebox:mini_4k_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:freebox:v6_revolution_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:one:-:*:*:*:*:*:*:*
cpe:2.3:h:freebox:v6_revolution:-:*:*:*:*:*:*:*
cpe:2.3:o:freebox:v5_crystal_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:freebox:v5_hd:-:*:*:*:*:*:*:*
First Time Freebox v6 Revolution
Freebox
Freebox v5 Hd
Freebox v5 Crystal
Freebox mini 4k
Freebox v5 Hd Firmware
Freebox one Firmware
Freebox mini 4k Firmware
Freebox one
Freebox v6 Revolution Firmware
Freebox v5 Crystal Firmware

18 Nov 2025, 17:16

Type Values Removed Values Added
CWE CWE-319
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 3.5

17 Nov 2025, 20:15

Type Values Removed Values Added
Summary (en) reebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025. (en) Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.

17 Nov 2025, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-11-17 19:16

Updated : 2026-02-04 20:50

NVD link : CVE-2025-63292

Mitre link : CVE-2025-63292

CVE.ORG link : CVE-2025-63292

JSON object : View

Products Affected

freebox

  • one_firmware
  • v5_crystal
  • v6_revolution_firmware
  • v6_revolution
  • v5_crystal_firmware
  • v5_hd_firmware
  • mini_4k_firmware
  • mini_4k
  • v5_hd
  • one
CWE
CWE-319

Cleartext Transmission of Sensitive Information