A security researcher has identified a hidden backdoor in Zyxel firewalls and AP controllers, caused by the use of hardcoded administrative credentials for an account that was intended to be used to automatically update the firmware on the devices. More than 100,000 Zyxel devices are affected worldwide.
The hard coded credentials mean hackers could perform malicious firmware updates, and could change the firewall settings to block/allow or intercept traffic. It would also be possible to exploit the vulnerability and set up new VPN accounts which could be used to access systems behind the firewall or make internal services publicly accessible.
The hard coded credentials were identified by Niels Teusink of the cybersecurity firm EYE in the most recent version of the firmware (4.60 patch 0) of several Zyxel devices. Teusink identified the plaintext password in one of the binaries on the system. The hardcoded password appears to have been added in the latest version of the firmware.
“As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100.000 devices have exposed their web interface to the internet,” explained Teusink. Teusink also suggested that combining this vulnerability with another, such as Zerologon, could result in a major network compromise.
The admin account does not appear in the Zyxel user interface and is hidden. The username is zyfwp and it has a static, plain text password. The vulnerability is tracked as CVE-2020-29583.
Zyxel has released a security advisory about the hardcoded credential vulnerability and a patch has been released to correct the flaw. Zyxel explained that the hardcoded credentials were intended to be used to deliver automatic firmware updates to connected access points through FTP.
Vulnerable products are detailed in the table below:
| Affected Product | Patch |
| Firewalls | |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| AP Controllers | |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
Uses of the vulnerable devices have been advised to apply the patch as soon as possible to prevent exploitation of the vulnerability. Since the password is relatively easy to find, it is likely that the flaw will be exploited in real world attacks imminently. This is one patch that really should be applied immediately.
Update 01/06/20: On January 5, 2020, GreyNoise reported that three IP addresses were scanning for IP addresses running SSH and were attempting to use the hardcoded credentials to access Zyxel devices.