Secret Backdoor Found in Zyxel Firewall and AP Controllers

The Niels Teusink of Dutch cybersecurity firm EYE has recently revealed a secret backdoor official account in the latest “4.60 patch 0” for some Zyxel devices. Nearly 100,000 Zyxel devices got vulnerable to a hidden backdoor (CVE-2020-29583) that has been caused by hardcoded credentials, which are used to update firewall and AP controllers’ firmware.

We all know that Zyxel is a famous brand for firewalls that are explicitly bartered for small and medium businesses. However, the Unified Security Gateway (USG) outcome line is frequently used as a firewall or VPN gateway. 

What is Vulnerability?

According to the Report, this vulnerability is one of the hardcoded credential vulnerabilities that has been identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. Moreover, the account was specifically created to address all kinds of automatic firmware updates to the connected access points with the help of FTP.

Vulnerable versions

Firewalls

  • ATP series running firmware ZLD V4.60: ZLD V4.60 Patch1 in Dec. 2020
  • USG series running firmware ZLD V4.60: ZLD V4.60 Patch1 in Dec. 2020
  • USG FLEX series running firmware ZLD V4.60: ZLD V4.60 Patch1 in Dec. 2020
  • VPN series running firmware ZLD V4.60: ZLD V4.60 Patch1 in Dec. 2020

AP controllers

  • NXC2500: V6.10 Patch1 in April 2021
  • NXC5500: V6.10 Patch1 in April 2021

Disclosure Timeline

According to the experts, there are some disclosure timeline, and here we have mentioned below:-

  • 2020-11-29: EYE reports vulnerability to Zyxel security
  • 2020-11-30: Zyxel acknowledges receipt
  • 2020-12-02: Zyxel requests more data about how the vulnerability was identified
  • 2020-12-03: EYE sends more details
  • 2020-12-08: Zyxel releases beta firmware 4.60-WK48 and removes the vulnerable firmware version from their site
  • 2020-12-15: Zyxel releases firmware 4.60 patches 1 for most devices
  • 2020-12-18: Zyxel releases firmware 4.60 patches 1 for all remaining devices
  • 2020-12-23: Zyxel publishes advisory

Experts’ recommendation

The experts are trying their best to find out all the possible results and critical points of the vulnerability. But, after investigating the whole matter, the experts have identified that the vulnerable products present within their warranty and maintenance time are releasing the firmware patches to address the issue. 

Apart from this, the security experts have suggested the users to install the applicable updates for more optimal protection. The Taiwanese company is also suspected of addressing the problem in its access point (AP) controllers with a V6.10 Patch1, which has been set to be published in April 2021.

The experts highly suggested that every user should install the required firmware updates to alleviate the risk associated with this vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.