More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contained a hardcoded admin-level backdoor account that, on occasion, could grant cybercriminals root access to devices via SSH  interface or the web admin panel.

         The dangerous account was discovered by the specialists from Eye Control, based in the Netherlands. They also recommended that owners of all affected devices update them as soon as possible.

         Attackers can use the detected backdoor account to access to internal networks.

         Among the vulnerable devices are popular enterprise-grade models from Zyxel. Typically, such devices are used in private organizations and government networks. Experts have identified the following product lines, the owners of which should be wary of the backdoor:

•    ATP-series - used primarily as a firewall;

•    USG-series - used as a hybrid of firewall and VPN gateway;

•    USG FLEX series - also used as a firewall and VPN gateway;

•    VPN series - used exclusively as a VPN gateway;

•    NXC-series - used as a WLAN access point controller.

         As of today, patches are only ready for the ATP, USG, USG Flex and VPN. According to Zyxel's official announcement, the NXC series will receive an update in April 2021.

         As noted by researchers at Eye Control, the identified backdoor account used the username «zyfwp» and the password «PrOw!aN_fXp». All released patches block this unauthorized access.

Source: anti-malware.ru