Researchers from EYE discovered a hardcoded credential vulnerability in Zyxel’s firewalls, VPN gateways, and access point controllers that could allow attackers root access to devices through the SSH interface or the web administration panel. According to EYE’s security researcher Niels Teusink, over 100,000 Zyxel devices are potentially vulnerable to the flaw. DDoS botnet operators, state-sponsored hackers, or other cybercriminals could abuse this backdoor account to access vulnerable devices and break into internal networks.
Zyxel is a popular manufacturer of networking devices. Its Unified Security Gateway (USG) products are mostly used as a firewall or VPN gateway.
“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface,” Teusink explained.
Affected Devices
The vulnerability, tracked as CVE-2020-29583 with CVSS score 7.8, affected several of Zyxel’s products that are deployed across private and government enterprise networks. These include:
- ZyWALL (anti- virus, anti-spam, and intrusion detection services provider)
- The Advanced Threat Protection (ATP) series (firewall protection service)
- The Unified Security Gateway (USG) series (a hybrid firewall and VPN gateway)
- The USG FLEX series (a hybrid firewall and VPN gateway)
- The VPN series (VPN gateways)
- The NXC series (a WLAN access point controller)
Patches Released!
Zyxel immediately released firmware patches to address the critical vulnerability. These include:
Firewall Patches
|
Affected product series
|
Patch available in |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
AP Controller Patches
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
Zyxel urged users and system administrators to immediately install the applicable updates for further protection and to avoid any security incidents in the future.
