More than 100,000 Zyxel devices are vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers’ firmware.
A secret hardcoded administrative account in the latest 4.60 patch 0 firmware for some Zyxel devices was discovered by Niels Teusink of Dutch cybersecurity firm EYE.
This account does not show in the Zyxel user interface and has a login name of ‘zyfwp’ and a static plain-text password.
The account could be used to log into vulnerable devices over both SSH and the web interface. As the SSL VPN interface operates on the same port as the web interface, many users have allowed port 443 to be accessible on the Internet.
VPN device vulnerabilities are very dangerous as they can be used to create new VPN accounts to gain access to an internal network or create port forwarding rules to make internal services publicly accessible.
Teusink said that it is possible for anyone to change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. When combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.
These types of vulnerabilities are mainly used by attackers who exploit VPN vulnerabilities to deploy ransomware or compromise internal corporate networks to steal data.
It is recommended that administrators of affected devices should upgrade their devices to the latest firmware at the earliest.
Zyxel published an advisory stating that they used the hardcoded credentials to deliver automatic firmware updates via FTP.
They have released ZLD V4.60 Patch 1 to remove the hardcoded credentials in vulnerable ATP, USG, USG Flex, and VPN devices. Zyxel states that ATP, USG, USG FLEX, and VPN firewalls using earlier firmware or SD-OS are not affected. The patch for NXC AP controllers is expected to release in April.