Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products

Zyxel has launched a patch to handle a crucial vulnerability in its firmware concerning a hardcoded undocumented top secret account that could be abused by an attacker to login with administrative privileges and compromise its networking gadgets.

The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects variation 4.60 present in vast-range of Zyxel units, like Unified Protection Gateway (USG), USG FLEX, ATP, and VPN firewall merchandise.

EYE researcher Niels Teusink described the vulnerability to Zyxel on November 29, pursuing which the corporation launched a firmware patch (ZLD V4.60 Patch1) on December 18.

According to the advisory printed by Zyxel, the undocumented account (“zyfwp”) will come with an unchangeable password (“PrOw!aN_fXp“) that is not only saved in plaintext but could also be used by a destructive 3rd-bash to login to the SSH server or website interface with admin privileges.

Zyxel reported the hardcoded credentials were being put in area to produce automated firmware updates to related obtain points as a result of FTP.

Noting that close to 10% of 1000 gadgets in the Netherlands run the affected firmware variation, Teusink reported the flaw’s relative relieve of exploitation can make it a essential vulnerability.

“As the ‘zyfwp‘ user has admin privileges, this is a really serious vulnerability,” Teusink reported in a produce-up. “An attacker could entirely compromise the confidentiality, integrity and availability of the product.”

“Anyone could for example transform firewall configurations to allow or block specified visitors. They could also intercept traffic or make VPN accounts to get obtain to the network driving the product. Mixed with a vulnerability like Zerologon this could be devastating to modest and medium companies.”

The Taiwanese corporation is also envisioned to deal with the situation in its obtain stage (AP) controllers with a V6.10 Patch1 that’s established to be launched in April 2021.

It’s hugely recommended that consumers install the vital firmware updates to mitigate the chance involved with the flaw.

Fibo Quantum