Security News > 2021 > January > Secret backdoor discovered in Zyxel firewall and AP controllers
Over 100,000 Zyxel devices are potentially vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers' firmware.
Niels Teusink of Dutch cybersecurity firm EYE discovered a secret hardcoded administrative account in the latest 4.60 patch 0 firmware for some Zyxel devices.
"As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet. Using publicly available data from Project Sonar, I was able to identify about 3.000 Zyxel USG/ATP/VPN devices in the Netherlands. Globally, more than 100.000 devices have exposed their web interface to the internet," Teusink reported.
Administrators of affected devices should upgrade their devices to the latest firmware as soon as possible.
In an advisory, Zyxel thanked EYE's for their disclosure and stated that they used the hardcoded credentials to deliver automatic firmware updates via FTP. "A hardcoded credential vulnerability was identified in the"zyfwp" user account in some Zyxel firewalls and AP controllers.
Zyxel has released ZLD V4.60 Patch 1 to remove the hardcoded credentials in vulnerable ATP, USG, USG Flex, and VPN devices.