CVE-2021-27174

Vulnerability

FiberHome HG6245D GPON FTTH routers running firmware versions RP2602 through RP2613 store Wi-Fi configuration in /fhconf/wifi_custom.cfg. This file contains the Wi-Fi pre-shared key (PSK) and other credentials in cleartext and is assigned permissions 0644, making it readable by any local user or process [1]. The vulnerability is present in all tested firmware versions, including the latest RP2613, and is likely shared across other FiberHome device models due to a common codebase [1].

Exploitation

An attacker who gains any level of access to the device's filesystem—for instance via an existing shell, a web application flaw, or by exploiting the lack of IPv6 firewall to reach internal services—can simply read /fhconf/wifi_custom.cfg [1]. No authentication beyond local user access is required to retrieve the file. On the default LAN-only attack surface, the attacker must first obtain local execution capability, but from the WAN side over IPv6 the internal services are reachable, lowering the barrier [1].

Impact

Successful exploitation reveals the Wi-Fi network's pre-shared key in plaintext, allowing the attacker to decrypt wireless traffic, join the private network, and potentially pivot to other devices on the same LAN. This constitutes a confidentiality breach of network credentials and can lead to further compromise of the home or small-office network [1].

Mitigation

As of February 2021 the vendor had not released a patched firmware that encrypts the credentials or restricts file permissions [1]. No workaround is available beyond limiting IPv6 exposure and ensuring the device's web interface is not accessible from untrusted networks. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.