CVE-2021-27144

Vulnerability

The FiberHome HG6245D GPON FTTH router, through firmware version RP2613, contains hardcoded credentials (f~i!b@e#r$h%o^m*esuperadmin / s(f)u_h+g|u) in the web daemon (HTTP/HTTPS server) intended for an ISP superadmin account. These credentials are present by default and do not require any prior authentication or configuration to be exploited. The vulnerability affects at least firmware versions RP2602 and RP2613, and likely other FiberHome devices due to a shared codebase [1].

Exploitation

An attacker on the local network (LAN) can directly access the web interface (default HTTP/HTTPS) and supply the hardcoded credentials to gain authenticated access. No user interaction or prior authentication is required. With these credentials, the attacker can enable a proprietary CLI telnetd service on port 23/TCP. This can be done through the web interface at https://target/fh. The device has no firewall for IPv6, making internal services reachable from the Internet over IPv6 as well [1].

Impact

Successful exploitation allows an attacker to gain authenticated access to the device's web interface with ISP superadmin privileges. From there, enabling the CLI telnetd provides a root shell on the device via Linux telnetd, achieving full remote code execution (RCE) and complete compromise of the router. The attack can be performed pre-authentication from the LAN or, via IPv6, from the WAN [1].

Mitigation

Firmware RP2613 is the latest affected version, and no patched firmware has been released as of the publication date (2021-02-10). Users should restrict LAN access to the device's web interface and disable IPv6 if not required. There is no known workaround other than network segmentation and firewall rules. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]