Hidden Backdoor Discovered in 100,000 Zyxel Devices

A vulnerability was discovered in Zyxel products including firewalls, access point (AP) controllers, and VPN gateways that hackers may exploited to obtain remote administrative access to the gadgets. By taking advantage of the vulnerability, hackers could change firewall configurations, permit/reject some traffic, intercept traffic, make new VPN accounts, make internal services accessible to the public, and acquire access to internal systems powering Zyxel products. About 100,000 Zyxel units globally have the vulnerability.

Zyxel company’s networking equipment and its devices are recognizyed by small and medium-sized organizations and are likewise utilized by big businesses and government institutions.

Niels Teusink of the Dutch cybersecurity firm EYE found the vulnerability, monitored as CVE-2020-29583 when he discovered a secret user account in the newest version of Zyxel software (4.60 patch 0). The secret user account, zyfwp, has a hardcoded plain-text password located in one of the product binaries. This hardcoded administrative password was introduced in the newest version of the software.

Teusink had utilized the credentials to logon to vulnerable equipment over SSH and the online interface. considering that the password is hardcoded, device users are unable to modify the password. A hacker can use the credentials to logon remotely and exploit a vulnerable Zyxel unit. Since SSL VPN on these products works on the same port like the cloud interface, numerous users have port 443 of these devices open online.

Zyxel has issued a patch to resolve the vulnerability. Zyxel said that the account was included to permit the organization to give programmed firewall updates to linked access points by FTP.

The vulnerability is found in a number of Zyxel solutions like the Zyxel Advanced Threat Protection (APT) firewall, VPN version 4.60, Unified Security Gateway (USG), USG Flex, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) gave an notification regarding the vulnerability. The vulnerability was ranked as medium risk for small government entities and small businesses; it was high risk for big and medium-sized government agencies and big and medium-sized businesses.

All end users of the vulnerable products were tols to utilize the patch without delay to protect against exploitation. Even though there are no documented instances of vulnerability exploitation so far, exploitation of the vulnerability is probable.

For the following vulnerable Firewall products, patches were available in December 2020.

  • USG series using firmware ZLD V4.60
  • ATP series using firmware ZLD V4.60
  • USG FLEX series using firmware ZLD V4.60
  • VPN series using firmware ZLD V4.60

For the following affected AP controllers, patches will be accessible on January 8, 2021.

  • NXC2500 using firmware V6.00 through V6.10
  • NXC5500 using firmware V6.00 through V6.10

To offset the threat, MS-ISAC advises the following actions:

  • Implement necessary updates offered by Zyxel to vulnerable systems, right away after suitable testing.
  • Use all software as a user with no admin privileges to reduce the effects of a successful attack.
  • Tell users not to go to un-trusted web pages or clink hyperlinks presented by anonymous or un-trusted sources.
  • Notify and teach users about the threats created by hypertext links included in emails or attachments particularly from un-trusted sources.
  • Follow the Principle of Least Privilege whenever employing all systems and solutions.