Security News > 2021 > January > Zyxel hardcoded admin password found – patch now!

Zyxel products are Linux-based, and Linux usernames and passwords are typically split between two files for security reasons.

The early passwords of several Unix pioneers were cracked for fun in 2019 based on ancient password files embedded in the BSD-3 source code.

Even if you can't crack the password, the presence of a password hash in /etc/shadow nevertheless gives you a hint that the account concerned is intended for remote logins.

In this case, the researcher didn't have to crack the password hash in the firmware, a process that might have taken years or even longer, assuming that a recent Linux password hashing scheme was used.

According to reports, cybercriminals have now recovered the hardcoded password themselves, so you should assume that the offending username/password combination is now being used routinely by the various automated attack scanning tools used by crooks.

If an account is unimportant enough that it doesn't need a properly-chosen password, don't give it a password at all, and make your intentions clear.

News URL

https://nakedsecurity.sophos.com/2021/01/06/zyxel-hardcoded-admin-password-found-patch-now/