CVE-2021-27169

Vulnerability

FiberHome AN5506-04-FA devices running firmware RP2631 contain a hardcoded password for the gepon account [1]. This account is intended for maintenance and the password is static across devices, making it a backdoor.

Exploitation

An attacker with network access to the device (LAN or WAN via IPv6) can authenticate as the gepon user using the known hardcoded password [1]. The blog notes that telnetd is not enabled by default but can be activated via the web interface using other hardcoded credentials; however, if telnet or other services are accessible, the gepon password can be used directly.

Impact

Successful authentication as gepon grants the attacker a CLI shell on the device, leading to full compromise of the router. The attacker can read sensitive configuration, modify settings, or use the device as a pivot for further attacks on the network [1].

Mitigation

As of the publication date, no firmware update has been released to address this issue. Users should restrict network access to the device, disable unnecessary services, and monitor for vendor updates. The device may be at end-of-life; consider replacing it if no patch is provided [1].