CVE-2021-27151

Vulnerability

The web daemon on FiberHome HG6245D devices (firmware versions through RP2613) contains hardcoded credentials rootmet / m3tr0r00t intended for an ISP account. This backdoor is present in the HTTP server and allows authentication without any prior access. The vulnerability was confirmed on firmware RP2602 and RP2613, and likely affects other FiberHome models such as AN5506-04-FA [1].

Exploitation

An attacker with network access to the device (LAN via IPv4, or WAN via IPv6 due to lack of IPv6 firewall) can exploit the hardcoded credentials by sending HTTP requests to the web interface. The attacker authenticates using the backdoor credentials, then can enable a proprietary CLI telnetd or directly obtain a root shell via the Linux telnetd. No user interaction is required [1].

Impact

Successful exploitation grants the attacker root-level access to the device, allowing full control over the router. This includes the ability to read and modify configuration, intercept network traffic, launch further attacks on the internal network, and persist access. The compromise is complete and remote [1].

Mitigation

As of the publication date (February 2021), no official firmware patch has been released to remove the hardcoded credentials. Users should restrict network access to the device by disabling remote management, applying strict firewall rules, and isolating the router on a separate VLAN. If possible, replace the device with a patched or alternative model [1].