CVE-2021-27155
📋 TL;DR
CVE-2021-27155 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The web daemon contains hardcoded admin credentials (admin/3UJUh2VemEfUtesEchEC2d2e) that allow attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.
💻 Affected Systems
- FiberHome HG6245D
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the device, enabling them to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into internal networks.
Likely Case
Attackers exploit the credentials to access the web interface, change device settings, monitor network traffic, or disable security features.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the device itself rather than allowing lateral movement.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials and access to the web interface. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after RP2613
Vendor Advisory: https://www.fiberhome.com/security-advisory/
Restart Required: Yes
Instructions:
1. Contact FiberHome or your ISP for updated firmware. 2. Download the firmware file. 3. Log into the device web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload the new firmware file. 6. Wait for the device to reboot automatically.
🔧 Temporary Workarounds
Disable Web Management Interface
allDisable the vulnerable web interface if not needed for management
Login via SSH/Telnet
Navigate to web interface settings
Disable HTTP/HTTPS management
Network Segmentation
allIsolate the device from critical networks
Configure firewall rules to restrict access to device management interface
Place device in isolated VLAN
🧯 If You Can't Patch
- Change default admin password if possible (though hardcoded credentials may override)
- Implement strict network access controls to limit who can reach the management interface
🔍 How to Verify
Check if Vulnerable:
Attempt to log into the web interface using credentials admin/3UJUh2VemEfUtesEchEC2d2e. If successful, the device is vulnerable.Check Version:
Log into web interface and check System Information > Firmware Version, or use telnet/SSH and check version informationVerify Fix Applied:
After patching, attempt to log in with the hardcoded credentials. Access should be denied. Verify firmware version is newer than RP2613.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful admin login
- Admin login from unusual IP addresses
- Configuration changes from unexpected sources
Network Indicators:
- HTTP/HTTPS requests to device management interface from external IPs
- Traffic patterns suggesting device reconfiguration
SIEM Query:
source="ONT_web_logs" AND (user="admin" OR action="login_success") | stats count by src_ip