Researchers from the Dutch security company, Eye Control announced that they have discovered a hardcoded admin-level backdoor account. It is found in Zyxel firewalls, VPN gateways, and access point controllers and it can cause attackers to gain root access to devices via either the SSH interface or the web administration panel.
Researchers stated that they found a user account ‘zyfwp’ with a password hash in the latest firmware version, 4.60 patch 0. According to the announcement, the plaintext password was visible in one of the binaries on the system and the account worked on SSH and web interface. When checking older firmware versions, researchers noticed that the username was present however the password wasn’t included, which means older versions do not have the vulnerability but they have other vulnerabilities that should be updated.
Zyxel released an advisory for the vulnerability, tracked as CVE-2020-29583. The company stated that the patch for ATP series, USG series, USG FLEX series, and VPN series is released in December of 2020, and the patch for NXC series AP controllers will be released in January of 2021. The company also stated that the account was designed to deliver automatic firmware updates to connected access points through FTP.