A vulnerability was discovered in Zyxel network devices

Few days agos the detection of a vulnerability was disclosed serious security in firewalls, virtual private network gateways and access point controllers manufactured by Zyxel Communications Corp.

It is detailed that last month, security researchers from the Dutch cybersecurity firm Eye Control documented the case and they mention that the vulnerability affects more than 100.000 devices manufactured by the company.

Vulnerability implies that the devices have a hard-coded administrative-level backdoor which can grant attackers root access to devices with SSH or a web admin panel.

Given the encrypted username and password, hackers can gain access to networks using Zyxel devices.

"Someone could, for example, change the firewall settings to allow or block certain traffic," says Eye Control researcher Niels Teusink. "They could also intercept traffic or create VPN accounts to gain access to the network behind the device."

The vulnerability is in that series devices ATP, USG, USG Flex, VPN and NXC from Zyxel.

While not a household name, Zyxel is a Taiwan-based company that manufactures network devices used primarily by small and medium-sized businesses.

In fact, the company has a surprisingly remarkable list of new features: it was the first company in the world to design an analog / digital ISDN modem, the first with an ADSL2 + gateway, and the first to offer a portable personal firewall the size of the palm of the hand, among other achievements.

However, this is not the first time vulnerabilities have been found on Zyxel devices. A study by the Fraunhofer Institute for Communication in July named Zyxel along with AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. and AVM Computersysteme Vertriebs GmbH as having a security rank issues.

According to the representatives of the company Zyxel, the backdoor was not a consequence of malicious activity from third-party attackers, egro was a regular function used to automatically download updates firmware via FTP.

It should be noted that the predefined password was not encrypted and Eye Control security researchers noticed it by examining the snippets of text found in the firmware image.

In the user base, the password was stored as a hash and the additional account was excluded from the user list, but one of the executable files contained the password in clear text Zyxel was informed of the problem at the end of November and partially fixed it.

Zyxel's ATP (Advanced Threat Protection), USG (Unified Security Gateway), USG FLEX and VPN firewalls, as well as the NXC2500 and NXC5500 access point controllers are affected.

Zyxel has addressed vulnerability, formally named CVE-2020-29583, in an advisory and has released a patch to fix the problem. In the notice, the company noted that the encrypted user account "zyfwp" was designed to deliver automatic firmware updates to access points connected via FTP.

Firewall issue fixed in firmware update V4.60 Patch1 (It is claimed that the default password appeared only in firmware V4.60 Patch0, and older firmware versions are not affected by the problem, but there are other vulnerabilities in older firmware through which devices can be attacked ).

In the hotspots, The fix will be included in the V6.10 Patch1 update scheduled for April 2021. All users of problem devices are advised to immediately update the firmware or close access to network ports at the firewall level.

The problem is aggravated by the fact that the VPN service and the web interface for managing the device by default accept connections on the same network port 443, which is why many users left 443 open for external requests and thus in addition to the VPN endpoint, they left and the ability to log into the web interface.

According to preliminary estimates, more than 100 devices containing the identified backdoor they are available on the network to connect through network port 443.

Users of affected Zyxel devices are advised to install the appropriate firmware updates for optimal protection.

Source: https://www.eyecontrol.nl

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.