CVE-2021-27159

Vulnerability

The FiberHome HG6245D GPON FTTH router, up to firmware version RP2613, contains hardcoded credentials useradmin / 888888 for the ISP account in the web daemon (httpd). This issue was discovered and publicly disclosed by Pierrick Kim. The vulnerability is present in all tested firmware versions, including RP2602 and RP2613, and likely affects other FiberHome models such as the AN5506-04-FA [1].

Exploitation

An attacker with network access to the device's web interface (typically LAN, but also reachable over IPv6 from the WAN due to lack of IPv6 firewall) can authenticate using the hardcoded credentials useradmin / 888888 [1]. No prior authentication or user interaction is required. The attacker can then enable a telnet service and use additional backdoor credentials to gain a root shell [1].

Impact

Successful exploitation allows an attacker to gain administrative access to the router, enabling full control over the device. This can lead to complete compromise of the device's configuration, interception or modification of traffic, and potential lateral movement within the network. The impact is considered high as it exposes the ISP-level credentials and allows privilege escalation to root [1].

Mitigation

As of the publication date (2021-02-10), no official fix or firmware update has been released by FiberHome. The latest firmware version RP2613 remains vulnerable [1]. Users are advised to restrict network access to the device's management interface, firewall IPv6 traffic, and monitor for any vendor updates. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.