Backdoor in Zyxel Devices. Make Sure You’re Patched

Recently, a backdoor built into Zyxel device models was discovered and is being exploited by hackers. These device models are used by multitudes of people as VPNs, firewalls and wireless access points.

According to a researcher from a Netherlands-based security firm, Eye Control, the backdoor is in the form of a user account that is not documented with complete administrative rights that is inbuilt in the device firmware. The account with the username ‘zyfwp’, is accessible through SSH or a Web interface.

This account put users at risk, especially if used to capitalize on other vulnerabilities like Zerologon― a flaw in Windows which gives attackers the power to become powerful network administrators.

‘As the zyfwp user has admin privileges, this is a serious vulnerability’, wrote Eye Control researcher, Niels Teusink. ‘An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example, change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon, this could be devastating to small and medium businesses’.

On Monday, the founder and CEO of security firm GreyNoise, Andrew Morris said that his company’s sensors have identified automated attacks using the account credentials to log in to vulnerable devices. In almost all the login attempts, the attackers added the credentials to the list of default username/password combinations used to hack into insecure routers and other devices.

‘By definition, anything we’re seeing has to be opportunistic’, said Morris which meant the attackers were making use of the credentials against IP addresses pseudorandomly with the goal of finding susceptible connected devices. GreyNoise dispatches collection sensors in a lot of data centers globally to observe internetwide scanning and exploitation attempts.

The login attempts seen by GreyNoise are occurring over SSH connections, but Eye Control researcher Teusink stated that the unrecorded account is also accessible through a Web interface. He also said that a scan done recently showed that over 100,000 Zyxel devices had exposed the Web interface to the internet.

According to Teusink, the backdoor was introduced in firmware version 4.39, which came out a few weeks ago. In the Netherlands, a scan of Zyxel devices showed that 10% of them were using that vulnerable version. Zyxel issued a security statement listing the exact device models that are affected. They include:


• ATP series running firmware ZLD V4.60

• USG series running firmware ZLD V4.60 ZLD

• USG FLEX series running firmware ZLD V4.60

• VPN series running firmware ZLD V4.60

AP Controllers

• NXC2500 running firmware V.6.00 through V6.10

• NXC5500 running firmware V6.00 through V6.10


A fix is already available for firewall models. For AP controllers, a fix has been scheduled for Friday. Zyxel said the backdoor was designed to deliver automatic firmware updates to connected access points over FTP.

Anyone using these affected devices should install a security fix as soon as it is available. Even for devices running a version preceding 4.6, users should still ensure to install the update because it also fixes other vulnerabilities in earlier releases. Another way to go about it is disabling remote administration, except there is a justifiable reason for allowing it.

By Marvellous Iwendi.

Source: arstechnica