Cybercriminals have started exploiting the hardcoded credential vulnerability (CVE-2020-29583) in Zyxel networking products that was announced by Zyxel on December 23, 2020.
The vulnerability, identified by Niels Teusink of the Dutch cybersecurity firm EYE, affects around 100,000 Zyxel devices, including its firewalls, AP controllers and VPN gateways. The flaw was assigned a CVSS V3 score of 7.8 out of 10 (High severity).
Teusink discovered a hidden administrative account with the username zyfwp that had a password that could not be changed. The password was found in plaintext within the firmware. While Teusink did not reveal the password, it has since been publicly disclosed on Twitter.
Several security researchers have reported observing opportunistic attempts to take control of vulnerable devices that have not been patched, with several IP addresses known to be conducting scans. Johannes Ullrich of the SANS Internet Storm Center (ISC) said several attempts have been made to access their SSH honeypots using the hardcoded default credentials, with all IP addresses identified geo-locating to Russia. “Some of these IPs have been involved in similar internet wide scans for vulnerabilities before so they are likely part of some criminal’s infrastructure,” said Ullrich.
The flaw could be exploited by threat actors to login with administrative access, change firewall settings, run malicious code, launch machine-in-the-middle attacks, take over affected devices, and access networks behind the firewalls.
The ATP firewall series, Unified Security Gateway (USG) series and VPN series devices have the hardcoded password and are vulnerable. Zyxel released a patched version of the firmware in December to correct the flaw in the majority of affected devices, with a patch for the NXC2500 and NXC5500 series of AP controllers scheduled for release on January 8, 2021.
With attempts currently being made to compromise vulnerable devices, immediate patching is strongly recommended.