CVE-2021-27178

Vulnerability

FiberHome HG6245D GPON FTTH routers through firmware version RP2613 store some passwords in cleartext in nvram [1]. The issue was discovered in devices with software version RP2602 and confirmed in the latest firmware RP2613 as well [1]. The impact extends to other FiberHome models such as AN5506-04-FA, AN5506-04-FAT, and AN5506-04-F due to shared codebase [1].

Exploitation

To exploit this vulnerability, an attacker needs to have local access to the device's nvram, for example through a root shell obtained via other means such as pre-auth RCE over LAN or WAN (IPv6) as described in the advisory [1]. The stored cleartext passwords can then be read directly from nvram. No user interaction or additional authentication is required once the attacker has access to the storage.

Impact

An attacker who successfully reads the cleartext passwords from nvram gains access to sensitive credentials, leading to information disclosure of authentication secrets stored on the device. This can enable further compromise of the device or related services using those passwords.

Mitigation

As of the publication date (February 2021), no firmware fix was available. The advisory states that the latest version RP2613 is also vulnerable [1]. Users should monitor FiberHome for official patches. Until a fix is released, consider restricting network access to the device, especially disabling IPv6 connectivity, and avoiding exposure of the management interface to untrusted networks. The vulnerability is not listed in CISA KEV as of this writing.