CVE-2021-27155

Vulnerability

FiberHome HG6245D GPON FTTH routers running firmware versions up to RP2613 contain a hardcoded credential pair (admin / 3UJUh2VemEfUtesEchEC2d2e) in the web daemon (httpd). These credentials are intended for ISP use but are baked into the firmware and are not intended to be changed. The vulnerability is present in all tested versions, including RP2602 and the latest RP2613 [1].

Exploitation

An attacker with network access to the device's LAN (IPv4) or WAN (IPv6, due to no IPv6 firewall) can authenticate to the web interface using the hardcoded credentials. From the authenticated web panel, the attacker can enable a proprietary CLI telnetd on port 23/tcp and subsequently use the same or additional hardcoded credentials to obtain a root shell. No user interaction or prior authentication is required beyond knowledge of the hardcoded credentials [1].

Impact

Successful exploitation gives the attacker a root shell on the device, leading to full compromise of the router. The attacker can then intercept, redirect, or modify all traffic passing through the device, pivot to other internal hosts, and persist on the device indefinitely [1].

Mitigation

As of the publication date, FiberHome has not released a patch for this issue. The vendor was contacted but did not respond. Users should restrict LAN and WAN access to the web interface, use a firewall to block IPv6 traffic to internal services, and monitor for unsolicited administrative logins. There is no known workaround that removes the hardcoded credentials without modifying firmware [1].