CVE-2025-3461: ON Semiconductor Quantenna Telnet Missing Authentication#

AHA! has discovered an issue with Quantenna Wi-Fi chips from ON Semiconductor, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on June 8, 2025. CVE-2025-3461 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Quantenna Wi-Fi chips ship with an unauthenticated telnet interface by default. This is an instance of CWE-306, “Missing Authentication for Critical Function,” and is estimated as a CVSS 9.1.

Technical Details#

Quantenna Wi-Fi chips do not require a password in order to login as the root user via telnet, allowing an attacker elevated access to the OS. A telnet server can be started in multiple ways (including through command injection attacks), but here are two ways to remotely start the telnet service without any authentication needed via the qcsapi rpc service:

qcsapi_sockrpc run_script set_test_mode enable_telnet_srv 1

qcsapi_sockrpc run_script router_command.sh enable_telnet_srv 1

A login prompt is presented upon connecting to the telnet port. If one enters “root” as the username, login will be successful without the need of a password.

Attacker Value#

Assuming the implementor of the Quantenna Wi-Fi chip has failed to disable both the telnet functionality and the qcsapi rpc service in their end product, an attacker can use this vulnerability to essentially take complete control of the Quantenna Wi-Fi chip.

Note that it may be tricky to identify what end products incorporate this chipset. If you’re aware of this chipset in use in your Wi-Fi access point, please feel free to share, as end-users are unlikely to be capable of working around this issue on their own.

Credit#

This vulnerability was discovered and documented by Ricky “HeadlessZeke” Lawshae of Keysight.

Timeline#

  • 2025-03-27 (Thu): Presented at regularly scheduled AHA! meeting 0x00df
  • 2025-04-02 (Wed): Contact initiated to [email protected]
  • 2025-04-08 (Tue): Discovered and contact established with [email protected].
  • 2025-04-11 (Fri): Acknowledged by the vendor
  • 2025 (April and May): Various communications about this and other discovered issues between AHA! and the vendor
  • 2025-05-19 (Mon): Draft best practices report shared with AHA!
  • 2025-05-30 (Fri): Best practices guidance published by the vendor
  • 2025-06-08 (Sun): Public disclosure of CVE-2025-3461