What just happened? Researchers from cyber security specialist Eye recently uncovered a secret backdoor introduced in a recent firmware update for various Zyxel firewalls and AP controllers. The hardcoded credential vulnerability consists of an undocumented user account complete with plaintext password.
According to Eye, the account grants admin privileges and works on both the SSH and web interface.
Eye said an attacker could use the credentials to change firewall settings to block or allow certain traffic. VPN accounts could also be created to gain access to the network behind the device. When combined with other vulnerabilities like Zerologon, “this could be devastating to small and medium businesses.”
The security firm said more than 100,000 Zyxel devices have their web interface exposed to the Internet.
Zyxel in a security advisory said the account was designed to deliver automatic firmware updates to connected access points through FTP.
Vulnerable products include the ATP, USG, USG FLEX and VPN series of firewalls running firmware ZLD V4.60. NXC2500 and NXC5500 AP controllers running firmware V6.00 through V6.10 are also impacted.
Eye immediately notified Zyxel about the undocumented account and in less than two weeks, the company released updated firmware to fix this and other issues impacting the firewalls. According to Zyxel, a patch to fix the AP controllers will be released on January 8.
Image credit Pixabay