CVE-2021-27166

Vulnerability

The FiberHome HG6245D GPON FTTH router, including firmware versions up to RP2613, contains a hardcoded password for the device's enable command in the proprietary CLI. The password is 'gpon' [1]. This vulnerability is present in the CLI accessible via telnet (which can be enabled) and potentially via the web interface. The default configuration does not expose telnet externally, but it can be enabled through hardcoded web credentials or other backdoor mechanisms [1].

Exploitation

An attacker who can reach the device's telnet service (either on the LAN, or over IPv6 from the WAN due to lack of IPv6 firewall, or by first enabling telnet via the web interface using other backdoor credentials) can enter the enable command and provide the hardcoded password 'gpon' [1]. This does not require authentication beforehand if the telnet session is already established with default or backdoor credentials. The steps are: (1) establish a telnet session to the device, (2) type enable, (3) enter the password gpon [1].

Impact

Successful exploitation grants the attacker privileged access to the device's configuration mode (enable-level access) [1]. From there, the attacker can view or modify the device's configuration, potentially gaining full control. This can lead to further compromise, such as enabling additional services, altering network settings, or achieving remote code execution with root privileges, as the device has other vulnerabilities that chain with this one [1].

Mitigation

As of the publication date (2021-02-10), no firmware patch was available; the latest firmware RP2613 is still vulnerable [1]. Users are advised to limit telnet and web access to trusted networks only, disable IPv6 if not required, and monitor for vendor updates. The device has not been listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.