CVE-2021-27167

Vulnerability

The FiberHome HG6245D GPON FTTH router (firmware versions up to RP2613) contains a hardcoded password generation mechanism for the admin account. The password consists of only four hexadecimal characters, generated by the function init_3bb_password in libci_adaptation_layer.so. This results in a maximum of 65536 possible passwords, making it trivial to brute-force. The vulnerability is present in firmware versions RP2602 and RP2613, and likely affects other FiberHome devices such as the AN5506-04-FA [1].

Exploitation

An attacker can exploit this vulnerability by first gaining network access to the device's web interface (HTTP/HTTPS on LAN, or via IPv6 from WAN due to lack of IPv6 firewall). Using the predictable password generation, the attacker can brute-force the four-character hex password to authenticate as admin. Once authenticated, the attacker can enable a CLI telnetd service using backdoor credentials or the /telnet API, then use the same weak admin password to gain a root shell via Linux telnetd [1].

Impact

Successful exploitation allows an attacker to gain root-level access to the device. This leads to full compromise of the router, including the ability to intercept, modify, or redirect network traffic, install persistent malware, and pivot to other devices on the network. The impact is critical due to the trivial nature of the attack and the widespread deployment of these devices in South America and Southeast Asia [1].

Mitigation

As of the publication date (2021-02-10), no official patch has been released by FiberHome. The latest firmware version RP2613 remains vulnerable. Users are advised to restrict network access to the device's management interfaces, disable remote management if possible, and monitor for firmware updates. The device may be at end-of-life; consider replacing it with a more secure alternative [1].