CVE-2021-27147

Vulnerability

The FiberHome HG6245D GPON FTTH router, including firmware versions RP2602 and RP2613, contains hardcoded credentials admin / admin in its HTTP/HTTPS web daemon [1]. These credentials are intended for ISP use but are publicly known and unchangeable [1]. The web interface is accessible by default on the LAN over IPv4 and also over IPv6 with no firewall, making it reachable from the WAN [1].

Exploitation

An attacker with network access to the device — either from the LAN (IPv4/IPv6) or from the WAN over IPv6 — can simply navigate to the web login page and authenticate using the hardcoded username admin and password admin [1]. Once authenticated, the attacker can enable a proprietary CLI telnet service via the web interface at /telnet, and then further enable the Linux telnetd using the same credentials or an authentication bypass, ultimately obtaining a root shell on the device [1].

Impact

Successful exploitation grants the attacker full root access to the router [1]. This compromises all three aspects of CIA: an attacker can read and modify device configuration (confidentiality and integrity), intercept or redirect network traffic, and cause denial of service (availability) [1]. The device can be fully controlled, leading to potential use in botnets, eavesdropping, or further attacks on the internal network [1].

Mitigation

FiberHome has not released a fixed firmware version for this issue as of the publication date (2021-02-10) [1]. The latest firmware version RP2613 is also confirmed vulnerable [1]. Users are advised to restrict access to the web interface by disabling remote management, applying strict firewall rules, and using VLAN segmentation [1]. If possible, upgrade to a newer firmware version if one becomes available. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog as of the knowledge cutoff.