'Backdoor account that can log in with administrator privileges' can be found on more than 100,000 Zyxel network devices
A 'backdoor account' has been discovered that allows a third party to log in to a firewall device or VPN gateway made by Taiwanese network equipment manufacturer Zyxel with administrator privileges. It is estimated that more than 100,000 devices will be affected by this worldwide, and security researchers recommend owners to update their firmware promptly.
Zyxel security advisory for hardcoded credential vulnerability | Zyxel
Undocumented user account in Zyxel products (CVE-2020-29583) --EYE
Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways | ZDNet
Backdoor account found in 100,000+ Zyxel Firewalls, VPN Gateways
On December 23, 2020, Dutch security company EyeControl reported that 'a third party has found a backdoor account ID and password that allows them to log in to Zyxel network devices with administrator privileges.' According to EyeControl security researcher Niels Teusink, the username for the backdoor account in question is 'zyfwp.' Teusink kept the password private because it was too easy to abuse, but IT news sites ZDNet and HackRead report that the password is'PrOw! AN_fXp'.
Regarding the impact of this vulnerability, Teusink said, 'For example, an attacker can change firewall settings to allow or block certain traffic, intercept traffic, or compromise a VPN account. It can also be newly created to gain unauthorized access to the network on which the device is embedded. Similar to Zerologon , a serious vulnerability found on Microsoft servers in August 2020. Can have a devastating impact on Zyxel's main customers, small businesses. '
The US National Infrastructure Advisory Board has rated the severity of this vulnerability as ' 7.8 ' on the Common Vulnerability Assessment System (CVSS) score, which ranges from 0.0 to 10.0.
Teusink used data from a research project called Project Sonar , which regularly scans the Internet, to find out how many devices could be affected by the vulnerability discovered, and found that it was 100,000 worldwide. It turns out that more than one Zyxel device is applicable.
Zyxel has already received a report from EyeControl, published a list of problematic products and distributed a patch. However, the patch for some LAN controllers will be distributed in April 2021.
Teusink said, 'When I checked the old firmware version, it had a username but no password. Therefore, it seems that this vulnerability was mixed in with the latest firmware version at the time of discovery. It's okay, but we've found issues such as buffer overflows , so we should update it anyway, 'he said, urging Zyxel device owners to update their firmware.