A serious security breach has been discovered in firewalls, VPN gateways, and access point controllers manufactured by Zyxel Communications Corp.
Detailed last month by security researchers at Dutch cybersecurity firm Eye Control, the vulnerability would affect more than 100,000 devices made by the company, according to a report on ZDNet on Saturday. The vulnerability involves devices having a hard-coded administrative-level backdoor account that can grant attackers root access to devices with SSH or a web administration panel.
Due to the hard-coded username and password, hackers can gain access to networks using Zyxel devices. “Someone could, for example, change the firewall settings to allow or block certain traffic,” says Niels Teusink, Eye Control researcher. “They could also intercept traffic or create VPN accounts to access the network behind the device.”
The vulnerability is found in Zyxel’s ATP, USG, USG Flex, VPN and NXC series devices.
Although not a household name, Zyxel is a Taiwan-based company that manufactures network devices primarily used by small and medium-sized businesses. The company actually has a surprisingly remarkable list of firsts: it was the first company in the world to design an analog-to-digital ISDN modem, the first with an ADSL2 + gateway, and the first to offer a portable personal firewall of the size with one hand, among other achievements. .
However, this is not the first time that vulnerabilities have been discovered in Zyxel devices. A study by the Fraunhofer Institute for Communication in July named Zyxel along with AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. and AVM Computersysteme Vertriebs GmbH as having a range of security issues.
Zyxel fixed the vulnerability, officially named CVE-2020-29583, in an advisory and released a patch to address the issue. In the advisory, the company noted that the hard-coded “zyfwp” user account was designed to provide automatic firmware updates to access points connected via FTP.
Users of affected Zyxel devices are advised to install applicable firmware updates for optimal protection.