CVE-2021-27170

Vulnerability

By default, FiberHome HG6245D routers (through firmware RP2613) have no firewall rules for IPv6 connectivity, leaving internal management interfaces accessible over IPv6 from the Internet. This affects all tested firmware versions including RP2602 and the latest RP2613 [1].

Exploitation

An attacker on the WAN can reach internal services (e.g., the web interface) over IPv6 without authentication. The device's default configuration exposes HTTP/HTTPS on the LAN, but due to the missing IPv6 firewall, these services are also reachable from the WAN over IPv6. The attacker can then leverage backdoor credentials or other vulnerabilities to gain further access [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to access internal management interfaces over IPv6, potentially leading to full device compromise including pre-auth RCE as root. All internal services become exposed to the Internet via IPv6 [1].

Mitigation

As of the publication date, no official fix or firmware update has been released to address this issue. Users may consider disabling IPv6 on the WAN interface or implementing external firewall rules to block IPv6 traffic to the device. The latest firmware (RP2613) is still vulnerable [1].