CVE-2021-27145

Vulnerability

The FiberHome HG6245D GPON FTTH router (firmware versions up to RP2613) contains hardcoded credentials admin / lnadmin in its web daemon [1]. These credentials are intended for ISP use but are not changeable by the user. The vulnerability exists in the HTTP/HTTPS interface, which is accessible by default on the LAN and also reachable over IPv6 from the WAN due to lack of IPv6 firewall [1].

Exploitation

An attacker with network access to the device (LAN via IPv4/IPv6 or WAN via IPv6) can simply use the hardcoded credentials to authenticate to the web interface [1]. No additional privileges or user interaction are required. The attacker can then enable a proprietary CLI telnetd or the Linux telnetd using backdoor credentials, ultimately gaining a root shell [1].

Impact

Successful exploitation grants the attacker full administrative control over the device, including the ability to read and modify configuration, intercept traffic, and potentially pivot to other network segments [1]. The attacker achieves root-level access, leading to complete compromise of confidentiality, integrity, and availability.

Mitigation

As of the publication date (February 2021), the latest firmware version RP2613 is still vulnerable, and no patch has been released [1]. Users should restrict network access to the device, disable remote management if possible, and monitor for firmware updates from FiberHome. The device may be end-of-life; consider replacing it with a supported alternative.