Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the device's MAC address, enabling authentication bypass and full device access.
The /ftl/bin/calc_f2 component in the device firmware uses a deterministic algorithm to generate administrative credentials. This algorithm is predictable and based on the device's MAC address, which is publicly available information. An attacker knowing the MAC address can independently calculate the correct administrative/root password without any additional knowledge or privileges. The vulnerability is classified as CWE-1391 (use of a weak set of default credentials).
An attacker can remotely authenticate as an administrator or root user and gain full control over the device, including the ability to modify configuration, intercept network traffic, and perform further lateral movement within the network.
The device firmware should be updated to version DG3934v3@2308041842 or newer. Additionally, it is recommended to restrict network access to the device's administrative interface and monitor attempts at unauthorized login.
Sercomm SCE4255W Small Cell (FreedomFi Englewood) — firmware versions earlier than DG3934v3@2308041842
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H