Secret Backdoor to Zyxel Firewall and AP Controllers Could Allow Administrative Access

Secret Backdoor to Zyxel Firewall and AP Controllers Could Allow Administrative Access

Niels Teusink of Dutch cybersecurity firm EYE has recently discovered a secret backdoor to Zyxel devices. More than 100,000 Zyxel Firewall and AP Controllers of version 4.60 patch 0 are affected by this vulnerability (CVE-2020-29583). It is due to a hardcoded administrative account.


Vulnerabilities Details (CVE-2020-29583)

A hardcoded credential vulnerability was identified in some Zyxel devices in the “zyfwp” user account. The account has the login name “zyfwp” with administrative privileges and a static plain-text password. The user account was created to address automatic firmware updates to connected access points through FTP. The vulnerability could allow remote attackers to have administrative access. This allows attackers to use the “zyfwp” user account to log in remotely and take over the Zyxel device. As a result, it could also allow attackers to intercept traffic, firewall settings, create VPN accounts to gain access to the network behind the device, and perform other administrative functions.

$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router> show users current
No: 1
  Name: zyfwp
  Type: admin
(...)
Router>

Teusink reported: “As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100000 devices have exposed their web interface to the internet.”

Attackers are actively scanning for the Zyxel backdoor. Recently cybersecurity GreyNoise detected that hackers are trying to exploit this backdoor, three different IP addresses actively scanning for SSH devices and trying to login using the Zyxel backdoor credentials. When SSH is detected, the attacker will try to brute force using Zyxel ‘zyfwp’ backdoor account.


Impact

The vulnerability could allow remote attackers to have administrative access. This allows attackers to use the “zyfwp” user account to log in remotely and take over the Zyxel device.


Affected Applications and Solutions

Zyxel Devices - Affected Products and Solution
Credit: Zyxel

 

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments