More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account.
Zyxel Firewalls — Backdoor:
A backdoor — typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment.
Recently, Zyxel has released a patch to address a critical vulnerability in its firmware.
The patch is due to — Dutch security researchers from Eye Control discovered a hardcoded undocumented secret account.
In addition, attackers could abuse to login with administrative privileges and compromise its networking devices.
Zyxel Security Advisory:
CVE ID: CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password (“PrOw!aN_fXp“). The password for this account can be found in cleartext in the firmware.
However, someone can use this account to login to the ssh server or web interface with admin privileges.
Note: ATP, USG, USG FLEX, and VPN firewalls running earlier firmware versions and the VPN series running the SD-OS — NOT affected.
IoT security researcher Ankit Anubhav said that Zyxel should have learned its lesson from a previous incident that took place in 2016 — ZDNet.
“In addition, unlike the previous exploit, which was used in Telnet only, this needs even lesser expertise as one can directly try the credentials on the panel hosted on port 443,” Anubhav said.
He further added, The new Zyxel backdoor could expose a whole new set of companies and government agencies to the same type of attacks that we’ve seen over the past two years.
Highly recommended to install the necessary firmware updates to mitigate the risk associated with the flaw.