Security researchers discovered that more than 100,000 Zyxel firewalls had a hardcoded, backdoor admin-level account baked in that could’ve given hackers root access to the devices. Security researchers say that the backdoor accounts could’ve given hackers access via the SSH interface or web administration panel. The team from Eye Control says this is as bad as vulnerabilities get.
Anyone using a Zyxel firewall has been advised to update the system as soon as they can. The backdoor account has a username and password that are widely known and could allow hackers, botnets, or other nefarious users to take advantage of the system. Many of the impacted devices are enterprise-grade and could leave protected private information, such as health data or financial information vulnerable.
Some of Zyxel’s top products from its business-grade lines are deployed across private enterprises and government networks. The company’s impacted products include the Advanced Threat Protection (ATP) series, Unified Security Gateway (USG) series, USG FLEX series, VPN series, and NXC series. These devices are often on the edge of computer networks operated by businesses and, if compromised, would allow hackers to launch further attacks inside the network.
Zyxel has patches available for the ATP, USG, USG Flex, and VPN series devices. The NXC line devices does not have a patch available at this time. Zyxel anticipates a patch be available for the NXC series in April. Any businesses using NXC WLAN access point controllers should have significant concerns about continuing to use the unpatched devices considering the baked in admin account credentials are now well-known.
According to the security researchers, the plaintext username and password were visible in one of the binaries on the system. The account had root access to the device because it was used to install updates to other interconnected Zyxel devices via FTP. Unfortunately, this isn’t the first time Zyxel has had this issue. Some of its devices suffering from the same problem in 2016.