CVE-2021-27153
📋 TL;DR
CVE-2021-27153 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The web daemon contains hardcoded administrative credentials (trueadmin/admintrue) that allow attackers to gain full administrative access to the device. This affects all FiberHome HG6245D devices through firmware version RP2613.
💻 Affected Systems
- FiberHome HG6245D
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the device, allowing them to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into internal networks.
Likely Case
Attackers exploit the credentials to gain administrative access, potentially changing device configurations, monitoring network traffic, or using the device in botnets.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the device itself without lateral movement into protected networks.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials and access to the web interface. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after RP2613
Vendor Advisory: https://www.fiberhome.com/security/
Restart Required: Yes
Instructions:
1. Contact ISP or FiberHome for updated firmware. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Disable Web Management Interface
allDisable the vulnerable web interface if not required for operations
Access device CLI via telnet/SSH
Navigate to web interface settings
Disable HTTP/HTTPS management
Network Access Control
linuxRestrict access to device management interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Segment affected devices in isolated network zones with strict firewall rules
- Implement network monitoring for authentication attempts using the hardcoded credentials
🔍 How to Verify
Check if Vulnerable:
Attempt to log into the device web interface using credentials trueadmin/admintrueCheck Version:
Check web interface status page or use telnet/SSH to query firmware versionVerify Fix Applied:
Verify firmware version is newer than RP2613 and test that trueadmin/admintrue credentials no longer work📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login
- Multiple login attempts from single source
- Administrative configuration changes from unexpected sources
Network Indicators:
- HTTP POST requests to login endpoints with hardcoded credentials
- Unusual traffic patterns from device management interface
SIEM Query:
source="device_logs" AND (username="trueadmin" OR password="admintrue")