“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.”
Researchers from EYE (Netherlands) reported a secret backdoor on Zyxel devices (Firewalls and AP Controlled) running firmware version 4.60. The vulnerability, identified as CVE-2020-29583, stems from hardcoded credentials that allow attackers to gain administrative management access on the vulnerable devices via SSH or web interface.
The secret backdoor account “zyfwp” with the password “Pr*******Xp” is stored in plaintext in the code of the firmware. Since full credentials have been also released publicly by news channels, these credentials could be used by attackers to login to the SSH or the web interface to manage the devices with administrative rights.
$ ssh firstname.lastname@example.org Password: Pr*******Xp Router>
Affected products that run the vulnerable firmware version 4.60 are as follows:
- ATP series running firmware ZLD v4.60 – Firewall
- USG series running firmware ZLD v4.60 – Firewall
- USG FLEX series running firmware ZLD v4.60 – Firewall
- VPN series running firmware ZLD v4.60 – Firewall
- NXC2500 running firmware v6.00 through v6.10
- NXC5500 running firmware v6.00 through v6.10
A local attacker can gain administrative access rights on the effected devices via authenticating through SSH or web interface using the hardcoded plaintext credentials.
Category: Secret Backdoor
CVSS 3.1 Base Score: 7.8 High
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected versions should be patched with the firmware patches released by the Zyxel to address the discovered vulnerability.
As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.Art Wittmann
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Zyxel Security Advisory (CVE-2020-29683)
- Vulnerability Report by EYE