CVE-2021-27148

Vulnerability

The web daemon on FiberHome HG6245D devices (firmware versions RP2602 through RP2613) contains hardcoded credentials telecomadmin / nE7jA%5m intended for ISP use [1]. These credentials are embedded in the HTTP server and can be used to authenticate to the web interface without any prior access.

Exploitation

An attacker with network access to the device's web interface (typically on LAN, but also reachable over IPv6 from WAN due to lack of firewall) can simply use the hardcoded username and password to log in [1]. No authentication bypass or additional steps are required; the credentials are valid for the web daemon.

Impact

Successful authentication grants the attacker administrative access to the web interface, which can be used to enable telnet services and ultimately obtain a root shell on the device [1]. This leads to full compromise of the router, including the ability to modify configuration, intercept traffic, and pivot into the internal network.

Mitigation

FiberHome has not released a patch for this issue as of the publication date (February 2021) [1]. The latest firmware version RP2613 at the time was also vulnerable. Users should restrict network access to the web interface, disable remote management, and monitor for firmware updates from the vendor. If possible, replace the device with a more secure alternative.