CVE-2021-27161

Vulnerability

The FiberHome HG6245D GPON FTTH router (and possibly other models such as AN5506-04-FA) contains hardcoded credentials admin / 1234 for the built-in web daemon (HTTP/HTTPS). This issue affects devices running firmware versions up to RP2613. The web interface is listening on the LAN by default, and due to a lack of firewall for IPv6, internal services may be reachable from the Internet over IPv6 [1].

Exploitation

An attacker with network access to the router's LAN (or WAN via IPv6) can simply authenticate to the web interface using the hardcoded credentials admin and 1234. No additional privileges or user interaction are required. This is a direct authentication bypass that does not involve any exploit chain or complex steps [1].

Impact

Successful authentication with the hardcoded credentials provides full administrative access to the web-based management interface. This can allow an attacker to modify router settings, enable additional services such as a telnet daemon, and ultimately gain root shell access to the device, leading to complete compromise of confidentiality, integrity, and availability [1].

Mitigation

FiberHome has not released a patch for this vulnerability as of the publication date (February 2021). A fix is not yet available in the disclosed references. Users are advised to restrict network access to the management interface, disable remote administration, and monitor for firmware updates. The devices are not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].