Hidden Backdoor Found in 100,000 Zyxel Products

A vulnerability was found in Zyxel devices such as firewalls, VPN gateways, and access point (AP) controllers that hackers may take advantage of to get remote administrative access to the gadgets. By taking advantage of the vulnerability, threat actors can change firewall configurations, enable/reject selected traffic, intercept traffic, generate new VPN accounts, make internal services open to the public, and acquire access to internal systems powering Zyxel products. Close to 100,000 Zyxel units around the world have the vulnerability.

Zyxel brand’s networking equipment and its devices are recognized by small and medium-sized organizations and are likewise utilized by big corporations and government institutions.

Niels Teusink of the Dutch cybersecurity company EYE discovered the vulnerability, monitored as CVE-2020-29583 when he discovered a secret user account in the newest version of Zyxel software (4.60 patch 0). The hidden user account, zyfwp, got a hardcoded plain-text password contained in one of the product binaries. This hardcoded administrative password was added in the newest version of the software.

Teusink had used the credentials to logon to vulnerable equipment over SSH and the web interface. Because of the hardcoded password, device users are unable to modify the password. An attacker could employ the credentials to logon remotely and compromise a vulnerable Zyxel unit.

Since SSL VPN on these gadgets works on the same port like the cloud interface, numerous users have port 443 of these devices open on the web.

Zyxel has issued a patch to resolve the vulnerability. Zyxel said that the account was included to permit the firm to provide programmed firewall updates to linked access points by FTP.

The vulnerability is found in a number of Zyxel solutions such as the Zyxel Advanced Threat Protection (APT) firewall, VPN version 4.60, Unified Security Gateway (USG), USG Flex, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) released an notification concerning the vulnerability. The vulnerability was rated as medium risk for small government entities and small businesses; it was high risk for big and medium-sized government agencies and large and medium-sized companies.

All consumers of the vulnerable products were told to utilize the patch immediately to protect against exploitation. Even though there are no documented instances of vulnerability exploitation so far, exploitation of the vulnerability is possible.

For the following affected Firewall products, patches were available in December 2020.

  • USG FLEX series with firmware ZLD V4.60
  • ATP series with firmware ZLD V4.60
  • USG series with firmware ZLD V4.60
  • VPN series with firmware ZLD V4.60

For the following affected AP controllers, patches will be accessible on January 8, 2021.

  • NXC5500 with firmware V6.00 through V6.10
  • NXC2500 with firmware V6.00 through V6.10

To mitigate the threat, MS-ISAC advises the following steps:

  • Apply required updates offered by Zyxel to vulnerable systems, right away after suitable testing.
  • Use all software as a user without admin privileges to reduce the impacts of a successful attack.
  • Advise users not to go to un-trusted sites or clink hyperlinks offered by unidentified or un-trusted sources.
  • Notify and teach users about the threats presented by hypertext links enclosed in email messages or attachments particularly from un-trusted sources.
  • Adopt the Principle of Least Privilege whenever employing all systems and solutions.