CVE-2021-27160

Vulnerability

The FiberHome HG6245D router (firmware versions RP2602 through RP2613) has a hardcoded credential pair user / 888888 in its web daemon (HTTP/HTTPS server). This backdoor account is intended for ISP use, but is present in the binary and can be used by anyone with network access to the device. The vulnerability was confirmed on hardware version WKE2.094.277A01 with software versions RP2602 and RP2613; other FiberHome models (AN5506-04-FA, AN5506-04-FAT, AN5506-04-F) likely share the same codebase and are also affected [1].

Exploitation

An attacker must have network connectivity to the device's web interface (typically LAN via IPv4 or WAN via IPv6, as IPv6 firewall is disabled). No authentication is required prior to using the hardcoded credentials. The attacker simply sends an HTTP request to the management interface and authenticates with the user username and 888888 password [1].

Impact

Successful authentication grants the attacker access to the web administration panel. From there, the attacker can enable a CLI telnet daemon on port 23/tcp, then use further hardcoded or bypassed credentials to gain a root shell on the device. This leads to full remote compromise: information disclosure, configuration changes, and denial of service. Since the access is pre-authentication, the impact is severe [1].

Mitigation

As of the publication date (2021-02-10) and update (Feb 7, 2021), the latest firmware RP2613 remained vulnerable. FiberHome did not release a patched firmware. Users should restrict network access to the management interface (disable WAN-side access, use firewall rules to limit LAN access to trusted hosts) and monitor for unauthorized access attempts. No fix was available at the time of disclosure [1].