CVE-2021-27157 – CVE-2021-27157 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2021-27157?

CVE-2021-27157 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27157 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The web daemon contains hardcoded admin credentials (admin/888888) that allow attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.

📋 TL;DR

CVE-2021-27157 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The web daemon contains hardcoded admin credentials (admin/888888) that allow attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.

💻 Affected Systems

Products:

FiberHome HG6245D

Versions: All versions through RP2613

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the optical network terminal. The hardcoded credentials are present in the ISP-specific configuration.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the network device allowing reconfiguration of network settings, traffic interception, device takeover, and potential lateral movement into connected networks.

🟠

Likely Case

Unauthorized administrative access to the device enabling network configuration changes, service disruption, and credential harvesting.

🟢

If Mitigated

Limited impact if device is behind firewalls, not internet-facing, and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote attackers to exploit this without any authentication.

🏢 Internal Only: HIGH - Even internally, any user on the network can exploit these hardcoded credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - simply navigate to the web interface and use admin/888888 credentials. No special tools or skills required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after RP2613

Vendor Advisory: https://www.fiberhome.com/security-advisory (vendor-specific advisory may not be publicly available)

Restart Required: Yes

Instructions:

1. Contact ISP or FiberHome for updated firmware. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Disable web management interface

all

Disable the vulnerable web daemon if remote management is not required

telnet 192.168.1.1
login with admin credentials
disable httpd service

Network isolation

linux

Place device behind firewall with strict access controls

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate the device on a separate VLAN with strict firewall rules blocking all inbound access to management interfaces
Implement network monitoring and alerting for authentication attempts using the hardcoded credentials

🔍 How to Verify

Check if Vulnerable:

Attempt to log into the web interface at http://[device-ip] using username 'admin' and password '888888'

Check Version:

Check web interface status page or use telnet/ssh to connect and check firmware version

Verify Fix Applied:

Verify that admin/888888 credentials no longer work and that new firmware version is installed

📡 Detection & Monitoring

Log Indicators:

Successful authentication with admin account
Multiple failed login attempts followed by admin login
Configuration changes from unknown IP addresses

Network Indicators:

HTTP POST requests to login endpoints with admin credentials
Unusual traffic patterns from device management interface

SIEM Query:

source="device_logs" (username="admin" AND (password="888888" OR auth_success="true"))

📊 Metadata

CVE ID: CVE-2021-27157

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27157, you might also want to check these: