CVE-2021-27165

Vulnerability

The FiberHome HG6245D GPON FTTH router (all firmware versions through RP2613, including RP2602 and RP2613) has a telnet daemon on port 23/tcp that is not reachable by default from the LAN but can be enabled via the web administration interface. The daemon accepts hardcoded credentials gpon/gpon, which are documented as default credentials on the device [1].

Exploitation

An attacker with network access to the web administration interface (typically on the LAN, but also reachable over IPv6 from the WAN due to lack of IPv6 firewall) can enable the telnet daemon by leveraging hardcoded credentials or a backdoor /telnet API on the web server, and then use the gpon/gpon credentials to log into the telnet shell as root [1].

Impact

Successful exploitation grants the attacker a root shell on the device, allowing full control of the router, including privilege escalation, data exfiltration, network manipulation, and use as a pivot point [1].

Mitigation

FiberHome has not released a fixed firmware version for the HG6245D as of the disclosure date (February 2021). Users should restrict remote access to the device, disable telnet if possible, and apply firewall rules to block unsolicited IPv6 traffic. The device may be EOL or no longer supported [1].