CVE-2021-27151 – FiberHome HG6245D optical network terminal devi... (How to Fix)

Q: What is the severity of CVE-2021-27151?

CVE-2021-27151 has a CVSS score of 9.8 (CRITICAL). FiberHome HG6245D optical network terminal devices contain hardcoded root credentials (rootmet/m3tr0r00t) in their web daemon. This allows attackers to gain administrative access to the device's web interface. All users of affected FiberHome HG6245D devices through firmware version RP2613 are vulnerable.

📋 TL;DR

FiberHome HG6245D optical network terminal devices contain hardcoded root credentials (rootmet/m3tr0r00t) in their web daemon. This allows attackers to gain administrative access to the device's web interface. All users of affected FiberHome HG6245D devices through firmware version RP2613 are vulnerable.

💻 Affected Systems

Products:

FiberHome HG6245D Optical Network Terminal

Versions: Through firmware version RP2613

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with the vulnerable firmware are affected regardless of configuration. The web interface is typically enabled by default.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the optical network terminal, allowing attackers to reconfigure network settings, intercept traffic, deploy malware, or use the device as a pivot point into the internal network.

🟠

Likely Case

Unauthorized administrative access to the device web interface, enabling network configuration changes, service disruption, and credential harvesting.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted web interface access and strong network segmentation.

🌐 Internet-Facing: HIGH - Web interface is typically accessible from the internet on these devices, allowing remote exploitation.

🏢 Internal Only: HIGH - Even internally, any user on the network could exploit these credentials to gain administrative access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to navigate to the web interface and use the hardcoded credentials. No special tools or skills required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after RP2613

Vendor Advisory: https://www.fiberhome.com/security-advisory/

Restart Required: Yes

Instructions:

1. Contact your ISP or FiberHome for updated firmware. 2. Download the firmware update. 3. Log into device web interface. 4. Navigate to firmware update section. 5. Upload and apply the new firmware. 6. Reboot the device.

🔧 Temporary Workarounds

Disable Web Interface

all

Disable the web management interface if not required for operations

telnet 192.168.1.1
login: root
password: rootmet
disable httpd

Restrict Web Interface Access

linux

Configure firewall rules to restrict access to the web interface

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate the device on a separate VLAN with strict access controls
Implement network monitoring for authentication attempts using the hardcoded credentials

🔍 How to Verify

Check if Vulnerable:

Attempt to log into the web interface at http://[device-ip] using username 'rootmet' and password 'm3tr0r00t'

Check Version:

telnet [device-ip] 23, then run 'cat /etc/version' or check web interface system info page

Verify Fix Applied:

Attempt to log in with hardcoded credentials - should fail. Check firmware version is greater than RP2613.

📡 Detection & Monitoring

Log Indicators:

Successful authentication with username 'rootmet'
Multiple failed login attempts followed by successful 'rootmet' login

Network Indicators:

HTTP POST requests to login endpoint with hardcoded credentials
Unusual administrative configuration changes

SIEM Query:

source="device_logs" (username="rootmet" AND auth_result="success")

📊 Metadata

CVE ID: CVE-2021-27151

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27151, you might also want to check these: