CVE-2021-27172

Vulnerability

An issue was discovered on FiberHome HG6245D devices through firmware version RP2613. A hardcoded GEPON password for the root user is defined inside /etc/init.d/system-config.sh. This static credential is present in all tested firmware versions, including the latest RP2613 [1].

Exploitation

An attacker with network access to the device can exploit this vulnerability. The device exposes HTTP/HTTPS services on the LAN by default, and IPv6 services are reachable from the WAN due to the lack of a firewall [1]. The attacker can use the hardcoded credentials to enable the proprietary CLI telnetd via the web interface, then log in as root using the same credentials. Alternatively, the attacker can directly access the Linux telnetd if it is enabled [1].

Impact

Successful exploitation grants the attacker a root shell on the device, leading to full compromise. This includes the ability to read and modify all device configurations, intercept network traffic, and use the device as a pivot point for further attacks on the internal network [1].

Mitigation

As of the publication date (February 2021), no firmware fix has been released by FiberHome. The latest version RP2613 remains vulnerable. Users should restrict network access to the device, disable IPv6 if not required, and monitor for future firmware updates. No workaround is available [1].