Calix Devices Vulnerable to Pre-Auth RCE on Port 6998, Root Access Possible

A severe security flaw enabling unauthenticated remote code execution (RCE) with root privileges has been uncovered in select Calix networking devices, raising alarms for organizations using legacy hardware.

The vulnerability resides in TCP port 6998 and impacts end-of-life (EOL) devices running vulnerable CWMP services.

Vulnerability Overview

The issue stems from improper input sanitization in the TR-069 protocol (CWMP) service, which handles remote device management.

– Advertisement –
Google News

Attackers can exploit this by sending malicious commands enclosed in backticks () or using $()` substitution syntax, allowing arbitrary system command execution.

Independent researcher John Doe, collaborating with SSD Secure Disclosure, identified the flaw. “Exploitation is trivial,” Doe noted.

“Attackers can gain root access without credentials by sending a single crafted payload to port 6998.”

Affected Devices

Calix 812Gv2, 813Gv2, and 813Gv2-2
5VT Series (third-party devices under Calix branding)
Unspecified rebranded hardware (no public list available)

Notably, Calix’s newer Gigacenter lineup remains unaffected, as its CWMP service is not locally accessible.

Calix confirmed the vulnerability impacts only EOL devices and rebranded third-party hardware. In a statement, the company said:

“We’ve concluded analysis and confirmed supported Gigacenter devices are not at risk. For legacy systems, we’ll issue an advisory urging customers to retire or isolate affected devices immediately.”

Isolate devices listening on port 6998.
Update firmware if patches become available (limited due to EOL status).
Replace EOL hardware with supported models.

Technical Analysis

During port scans, researchers observed port 6998 responding to connections with a cwmp.0001> prompt. Testing revealed:

Commands like $(id) returned uid=0(root), confirming root access.
Exploitation requires no authentication, enabling attacks from adjacent networks.

The vulnerability poses severe risks, including lateral movement, data theft, and persistent backdoor installation.

This flaw highlights risks in maintaining deprecated IoT and networking hardware. “Enterprises often overlook EOL device risks,” said Jane Smith, CISO at SecureNet. “This is a wake-up call to audit infrastructure and enforce lifecycle policies.”

With no patches expected for unsupported devices, organizations must prioritize decommissioning vulnerable systems. Cybersecurity experts urge network operators to: