CVE-2021-27162

Vulnerability

The FiberHome HG6245D GPON FTTH router, through firmware version RP2613, contains hardcoded credentials (user / tattoo@home) for an ISP account in its HTTP/HTTPS web daemon. This vulnerability is documented by researchers and confirmed on hardware version WKE2.094.277A01 running software versions RP2602 and RP2613. The hardcoded credentials are accessible to any user who can reach the web interface on the LAN (default). [1]

Exploitation

An attacker with LAN access can use the hardcoded credentials to authenticate to the web interface at https://target/fh. Once authenticated, the attacker can enable a proprietary CLI telnet daemon and subsequently enable the Linux telnet daemon, leading to a root shell. The device also lacks firewall rules for IPv6, making internal services reachable from the WAN over IPv6, which broadens the attack surface. [1]

Impact

Successful exploitation allows an unauthenticated attacker (with LAN or, via IPv6, WAN access) to gain a root shell on the device. This results in full compromise of the router, enabling information disclosure, configuration modification, and potential use as a pivot point in the network. [1]

Mitigation

As of the publication date (2021-02-10), no fix or patch has been released by FiberHome for the HG6245D. Users should restrict LAN access to the web interface, disable IPv6 if not needed, and monitor for firmware updates. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]