CVE-2021-27146

Vulnerability

The web daemon (httpd) on FiberHome HG6245D devices up to firmware version RP2613 (and possibly later) contains hardcoded credentials admin / CUadmin intended for an ISP [1]. These credentials are present in the source code of the web server and can be used to authenticate to the web interface [1]. Affected versions include RP2602 and RP2613, and likely all firmware releases [1].

Exploitation

The attacker must have network access to the device's web interface (typically LAN, or WAN via IPv6 due to lack of firewall) [1]. With knowledge of the hardcoded username and password, the attacker can simply log in to the web portal using these credentials [1]. No user interaction or prior authentication is required for this step [1]. Once authenticated, the attacker can enable a CLI telnetd service or directly access the Linux telnetd to obtain a root shell [1].

Impact

Successful exploitation grants the attacker administrative access to the device's web interface, which can be leveraged to enable the telnet service and then obtain a root shell on the device [1]. This leads to full compromise of the router, including the ability to modify configurations, intercept traffic, and pivot to other network assets [1].

Mitigation

FiberHome has not released a fix for these hardcoded credentials as of the publication date [1]. The vendor was notified but did not respond [1]. Users should ensure the device's management interface is not exposed to the internet and restrict access to trusted networks [1]. There is no known patch; the device may be end-of-life or unsupported [1].