CVE-2021-27147 in HG6245D
Summary
by MITRE
An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded admin / admin credentials for an ISP.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/28/2021
The vulnerability identified as CVE-2021-27147 affects FiberHome HG6245D broadband router devices operating with firmware revision RP2613. This represents a critical security flaw that exposes devices to unauthorized access through hardcoded administrative credentials. The issue stems from the web daemon component of the device's firmware, which contains embedded authentication credentials that cannot be changed by administrators or users. This hardcoded administrative account with default credentials admin/admin creates a persistent backdoor that remains accessible across device reboots and firmware updates, fundamentally undermining the device's security posture.
The technical implementation of this vulnerability involves the presence of hardcoded credentials within the device's firmware binary, specifically within the web daemon process responsible for handling HTTP requests and user authentication. This approach violates fundamental security principles by embedding sensitive authentication information directly into the software rather than implementing proper credential management or secure initialization procedures. The CWE-798 weakness classification applies here, as the vulnerability represents the use of hardcoded credentials in the source code or configuration files, making it easily exploitable by any attacker who discovers the default login combination. The device's web interface becomes immediately accessible to anyone possessing this knowledge, regardless of network segmentation or additional security measures.
Operationally, this vulnerability creates significant risk for both individual users and service providers who deploy these devices in residential and commercial environments. Attackers can gain immediate administrative access to the router configuration, enabling them to modify network settings, implement man-in-the-middle attacks, redirect traffic, or establish persistent access points for further exploitation. The impact extends beyond simple unauthorized access as the administrative privileges allow modification of firewall rules, DNS settings, and other critical network parameters that can compromise entire local networks. From an ATT&CK framework perspective, this vulnerability maps to initial access techniques through credential access and privilege escalation, potentially enabling lateral movement within networks and persistent threat actor operations.
Mitigation strategies for this vulnerability require immediate action from affected users and network administrators. The most effective immediate solution involves changing the default administrative credentials through any available means, though in this case the hardcoded nature of the credentials makes this approach insufficient. Device manufacturers should implement firmware updates that remove or obscure hardcoded credentials and enforce proper credential management. Network segmentation through firewalls and access control lists can limit the damage from unauthorized access, while monitoring for unusual login patterns or configuration changes can help detect exploitation attempts. Regular security audits and firmware updates should be mandated, along with network access control measures that prevent unauthorized devices from connecting to the network. The vulnerability demonstrates the importance of secure coding practices and proper credential management as outlined in industry standards such as NIST SP 800-53 and ISO 27001 security controls.