CVE-2021-27147
📋 TL;DR
FiberHome HG6245D devices contain hardcoded admin/admin credentials in their web daemon, allowing attackers to gain administrative access to the device. This affects all users of FiberHome HG6245D devices through firmware version RP2613. The vulnerability is particularly dangerous because it provides complete control over the device.
💻 Affected Systems
- FiberHome HG6245D
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the device, enabling them to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into the internal network.
Likely Case
Attackers use the credentials to log into the web interface, change device settings, and potentially disrupt network connectivity or monitor user traffic.
If Mitigated
If devices are behind firewalls with strict access controls and network segmentation, the risk is reduced but not eliminated for internal threats.
🎯 Exploit Status
Exploitation requires only web browser access to the device's management interface and knowledge of the hardcoded credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
Contact FiberHome for firmware updates. Check with your ISP for patched firmware versions.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the device's management interface using firewall rules and network segmentation.
Change Default Credentials
allIf the device allows credential changes, immediately change the admin password to a strong, unique value.
🧯 If You Can't Patch
- Isolate the device on a separate VLAN with strict access controls
- Monitor network traffic to/from the device for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Attempt to log into the device's web interface using admin/admin credentials. If successful, the device is vulnerable.Check Version:
Check firmware version in device web interface or via SSH/Telnet if availableVerify Fix Applied:
Verify that admin/admin credentials no longer work and that a custom password is required.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with admin/admin
- Configuration changes from unknown IP addresses
Network Indicators:
- HTTP requests to device management interface from unexpected sources
- Unusual outbound traffic from the device
SIEM Query:
source_ip="device_ip" AND (http_method="POST" AND uri="/login.cgi" AND response_code=200) OR (event_type="authentication_success" AND username="admin")