CVE-2021-27153

Vulnerability

The web daemon on FiberHome HG6245D devices through firmware version RP2613 contains hardcoded credentials trueadmin / admintrue intended for an ISP account [1]. These credentials are embedded in the source code and are not changeable by the user. The vulnerability affects all tested firmware versions, including RP2602 and the latest RP2613 [1].

Exploitation

An attacker can exploit this vulnerability by accessing the device's web interface over the local network (HTTP/HTTPS on LAN) or over IPv6 from the WAN, as the device lacks a firewall for IPv6 [1]. Using the hardcoded credentials, the attacker can authenticate to the web administration panel without any prior knowledge or user interaction [1].

Impact

Successful authentication with the hardcoded credentials grants the attacker administrative access to the web interface [1]. From there, the attacker can enable the telnet service and use additional backdoor credentials to obtain a root shell, leading to full compromise of the device [1]. This allows complete control over the router, including the ability to modify configurations, intercept traffic, and launch further attacks.

Mitigation

As of the publication date, no firmware patch has been released by FiberHome to address this issue [1]. Users are advised to restrict network access to the device by disabling remote management, implementing strict firewall rules, and ensuring the device is not exposed to the internet. If possible, consider replacing the device with a more secure alternative [1].