Security News > 2021 > January > Hardcoded Credentials Expose Zyxel Firewalls and WLAN Controllers to Remote Attacks
Several Zyxel firewall and WLAN controller products contain hardcoded credentials for an undocumented user account that has admin privileges.
The account was designed for the delivery of automatic firmware updates through FTP and is present on Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices.
While doing research on his personal Zyxel firewall, the security researcher discovered not only that the problematic user account exists with hardcoded credentials, but also that the account works both on SSH and the web interface.
Zyxel says the vulnerability impacts its ATP, USG, USG FLEX, and VPN series firewalls that are running firmware ZLD V4.60, as well as NXC2500 and NXC5500 AP controllers that are running firmware V6.00 through V6.10.
The company released ZLD V4.60 Patch1 firmware updates to address the vulnerability for the affected firewall products, and plans on releasing V6.10 Patch1 on January 8 for the vulnerable controllers.
Users are advised to update their devices as soon as possible, to ensure they are protected from the hardcoded credentials bug and from previously identified security flaws in these products.