CVE-2021-27163

Vulnerability

The FiberHome HG6245D GPON FTTH router, through firmware version RP2613, contains hardcoded credentials (admin / tele1234) for the web daemon (HTTP/HTTPS) [1]. These credentials are intended for Internet Service Provider (ISP) use but are statically defined in the firmware, making them accessible to anyone who can reach the web interface [1]. The device listens on HTTP/HTTPS by default on the LAN; however, due to a lack of firewall for IPv6, the web interface is also reachable from the WAN over IPv6 [1].

Exploitation

An unauthenticated attacker on the same LAN (or from the WAN via IPv6) can simply navigate to the router's web interface (https:///fh) and log in with the hardcoded credentials admin / tele1234 [1]. No additional privileges or user interaction are required. Once authenticated as admin, the attacker can further enable a proprietary CLI telnetd (via the /telnet API) and subsequently gain a root shell using other backdoor credentials [1].

Impact

Successful exploitation grants the attacker full administrative access to the router's web interface, equivalent to ISP-level privileges. From there, the attacker can modify device configurations, potentially enable additional remote access services, and ultimately achieve complete compromise of the device, including root access to the underlying Linux operating system [1].

Mitigation

As of the publication date (February 10, 2021), no firmware patch has been released to remove or change the hardcoded credentials [1]. The latest firmware version at the time (RP2613) remains vulnerable. Users should restrict network access to the device's web interface, ensure IPv6 firewall rules are properly configured, and monitor vendor updates for a fix. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.