CVE-2021-27149 – CVE-2021-27149 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2021-27149?

CVE-2021-27149 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27149 is a critical authentication bypass vulnerability affecting FiberHome HG6245D devices. Attackers can use hardcoded admin credentials (adminpldt/z6dUABtl270qRxt7a2uGTiw) to gain administrative access to the web interface. This affects all users of vulnerable FiberHome HG6245D devices through firmware version RP2613.

📋 TL;DR

CVE-2021-27149 is a critical authentication bypass vulnerability affecting FiberHome HG6245D devices. Attackers can use hardcoded admin credentials (adminpldt/z6dUABtl270qRxt7a2uGTiw) to gain administrative access to the web interface. This affects all users of vulnerable FiberHome HG6245D devices through firmware version RP2613.

💻 Affected Systems

Products:

FiberHome HG6245D

Versions: All versions through RP2613

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web daemon component. The credentials are hardcoded in the firmware and cannot be changed by users.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to reconfigure network settings, intercept traffic, install backdoors, or use the device as a pivot point into internal networks.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, service disruption, and potential credential harvesting from connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly exploited by any attacker without authentication.

🏢 Internal Only: HIGH - Internal attackers or malware with network access can exploit this vulnerability to gain administrative control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to the device's management interface using the published credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after RP2613

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Contact ISP or FiberHome for updated firmware. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Factory reset device. 5. Restore configuration from backup.

🔧 Temporary Workarounds

Network Isolation

all

Place vulnerable devices in isolated network segments with strict firewall rules preventing access to management interfaces.

Access Control Lists

all

Implement network ACLs to restrict access to device management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

Replace vulnerable devices with patched or alternative models
Implement strict network segmentation and monitor all access attempts to device management interfaces

🔍 How to Verify

Check if Vulnerable:

Attempt to log into the device web interface at http://[device-ip] using credentials adminpldt/z6dUABtl270qRxt7a2uGTiw. Successful login indicates vulnerability.

Check Version:

Check web interface status page or use telnet/SSH if available: 'cat /etc/version' or similar

Verify Fix Applied:

Attempt to log in with hardcoded credentials after patching - access should be denied. Verify firmware version is newer than RP2613.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful login with adminpldt username
Configuration changes from unexpected IP addresses
Multiple authentication attempts in short timeframes

Network Indicators:

HTTP POST requests to login endpoints with hardcoded credentials
Unusual traffic patterns from device management interfaces

SIEM Query:

source="device_logs" (username="adminpldt" AND result="success") OR (user_agent CONTAINS "scanner" AND uri="/login.cgi")

📊 Metadata

CVE ID: CVE-2021-27149

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27149, you might also want to check these: