Zyxel firewalls and VPN gateways contain a built-in backdoor

Zyxel contain a built-in backdoor
Written by Emma Davis

More than 100,000 Zyxel devices contain a built-in backdoor. They have a hard-coded zyfwp account with an unchangeable password.

An unauthenticated remote attacker could gain access to a vulnerable system via ssh or a web interface using hardcoded credentials and gain administrator privileges.
< Zyxel contain a built-in backdoor
The vulnerability has a maximum severity level of 10 on the CVSS scale.

The account was not associated with any malicious activity but was only used to deliver automatic firmware updates via FTP. Zyxel recommends that you install the appropriate updates immediately.said Zyxel representative.

The vulnerability affects many of Zyxel’s popular business-class product lines, typically deployed on private corporate and government networks.

This includes the following devices:

  • Advanced Threat Protection (ATP) series – used primarily as a firewall
  • Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
  • USG FLEX series – used as a hybrid firewall and VPN gateway
  • VPN series – used as a VPN gateway
  • NXC series – used as WLAN access point controller

Zyxel was notified about the issue at the end of November and partially fixed the vulnerability on December 18. The vulnerability was fixed in the ZLD V4.60 Patch1 firmware, and for the NXC2500 and NXC5500 access point controllers a patch will be released in April 2021.

Any attacker, from DDoS botnet operators to government-sponsored hacker groups and ransomware gangs, can use this built-in account to access vulnerable devices and further infiltrate internal networks.cybersecurity experts warn.

The problem is aggravated by the fact that the VPN service and the web interface for device management use port 443 by default, which is why many users left port 443 open for external requests and, thus, in addition to the VPN connection point, they also left the ability to access the web. -interface. According to preliminary estimates, more than 100 thousand vulnerable devices with an open 443 port are available on the network.

Last year, Zyxel patched a critical vulnerability in its network attached storage (NAS), which has been already exploited by cybercriminals in real-world attacks.

Vulnerability CVE-2020-9054 could allow an unauthorized attacker to remotely execute arbitrary code. This allows an attacker to exploit the vulnerability by including certain characters in the username and injecting commands with web server privileges. It can then use the device’s built-in setup id utility to run commands with superuser privileges.

Let me remind you that I talked about the New Mirai malware version attacks Zyxel devices.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply