CVE-2021-27161
📋 TL;DR
CVE-2021-27161 is a critical authentication bypass vulnerability affecting FiberHome HG6245D optical network terminals. The web management interface contains hardcoded admin credentials (admin/1234) that allow attackers to gain administrative access. This affects all users of FiberHome HG6245D devices through firmware version RP2613.
💻 Affected Systems
- FiberHome HG6245D
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the device, allowing them to reconfigure network settings, intercept traffic, install malware, or use the device as a pivot point into internal networks.
Likely Case
Remote attackers exploit the hardcoded credentials to access the web interface, change device configurations, and potentially disrupt internet connectivity or monitor network traffic.
If Mitigated
With proper network segmentation and access controls, the impact is limited to the device itself, preventing lateral movement into other network segments.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials and access to the web interface. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after RP2613
Vendor Advisory: https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
Restart Required: Yes
Instructions:
1. Contact your ISP or FiberHome for updated firmware. 2. Download the firmware file. 3. Access the device web interface. 4. Navigate to firmware update section. 5. Upload and apply the new firmware. 6. Reboot the device.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to the device's web management interface
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Change Default Credentials
allChange the admin password if the interface allows it (though hardcoded credentials may still work)
🧯 If You Can't Patch
- Isolate the device in a separate VLAN with strict access controls
- Implement network monitoring for unauthorized access attempts to the device management interface
🔍 How to Verify
Check if Vulnerable:
Attempt to log into the web interface at http://[device-ip] using credentials admin/1234Check Version:
Check the web interface status page or use curl -s http://[device-ip]/status | grep firmwareVerify Fix Applied:
Verify the firmware version is newer than RP2613 and test that admin/1234 credentials no longer work📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login with admin account
- Configuration changes from unknown IP addresses
Network Indicators:
- HTTP requests to device management interface from external IPs
- Unusual traffic patterns from the ONT device
SIEM Query:
source="ONT" AND (event="login_success" AND user="admin") OR (event="config_change" AND src_ip NOT IN [allowed_ips])