Secret Backdoor Discovered In More Than 100,000 Zyxel Firewalls, VPN Gateways, And AP Controllers
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.
The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.
$ ssh [email protected] Password: Pr*******Xp Router> show users current No: 1 Name: zyfwp Type: admin (...) Router>
This account does not show in the Zyxel user interface and has a login name of ‘zyfwp’ and a static plain-text password.
Teusink found that the account could be used to log into vulnerable devices over both SSH and the web interface. Since the SSL VPN interface operates on the same port as the web interface, Teusink found that many users have allowed port 443 to be accessible on the Internet.
“As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100.000 devices have exposed their web interface to the internet,” Teusink reported.
Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.
This includes Zyxel product lines such as:
- the Advanced Threat Protection (ATP) series – used primarily as a firewall
- the Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
- the USG FLEX series – used as a hybrid firewall and VPN gateway
- the VPN series – used as a VPN gateway
- the NXC series – used as a WLAN access point controller
Patches are currently available only for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, according to a Zyxel security advisory.