CVE-2021-27154

Vulnerability

The FiberHome HG6245D GPON FTTH router (software versions up to and including RP2613) has a hardcoded username and password (admin / G0R2U1P2ag) for the ISP account in the web daemon. These credentials are present in all tested firmware versions and are intended for ISP access but expose a privileged login on the HTTP/HTTPS interface (port 80/443 by default on the LAN). The credentials are not user-changeable. Reference [1] confirms this for version RP2602 and the latest RP2613.

Exploitation

An attacker with network access to the LAN-side HTTP/HTTPS interface (or IPv6 WAN access, as there is no firewall for IPv6) can simply use the hardcoded credentials to log into the web administration panel. No authentication bypass or prior access is required. Once logged in, the attacker can enable a proprietary CLI telnet service and subsequently the Linux telnet daemon, using additional backdoor commands [1]. The attack does not require user interaction or any special configuration.

Impact

Successful authentication with the hardcoded admin account grants full administrative access to the router's web interface. This can be leveraged to enable Telnet services and ultimately obtain a root shell on the device (via additional hardcoded credentials for telnet). A remote attacker can achieve pre-authentication remote code execution as root, potentially compromising the entire device and the network behind it [1].

Mitigation

The vendor (FiberHome) has not released a firmware patch that removes or hardens these credentials as of the publication date (February 2021) [1]. Users cannot change the credentials themselves. The recommended mitigation is to restrict access to the router's management interface to trusted LAN hosts only, disable remote management, and block IPv6 traffic if not needed. The device is also believed to be vulnerable via WAN IPv6; thus a firewall rule to block IPv6 HTTP/HTTPS access is critical until a fix is provided.