The experts   found a secret backdoor in the Zyxel firewall and VPN

Zyxel released a patch to address a critical vulnerability in its firmware about a hardcoded undocumented secret account that an attacker could abuse to log in to the account with administrative privileges. By that, the attackers could compromise the networking devices.

This flaw is tracked as CVE-2020-29583 (CVSS score 7.8) and affects version 4.60 present in the wide-range of Zyxel devices, including ATP, Unified Security Gateway (USG), USG FLEX, and VPN firewall products.

Zyxel Firewall, VPN Backdoor Account

Niels Teusink of Dutch cybersecurity firm EYE discovered a secret hardcoded administrative account in the latest 4.60 patches firmware for some Zyxel devices.

According to the security advisory published by Zyxel, an unauthorized account ("zyfwp") comes with an unchangeable password that's not only stored in plaintext. Still, it could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.

The account("zxfwp") was designed to deliver automatic firmware updates to connected access points through FTP.

Globally more than 10 percent of 1000 devices in the Netherlands run the affected firmware version. Teusink reported that the flaw's relative ease of exploitation makes it a critical vulnerability.

What versions are vulnerable?

The Zyxel security team identified the vulnerable products and is releasing firmware patches to address the issue, as shown in the below table. Note: Only the listed products are affected.

Affected Product Series Patch Available In
Firewalls
ATP series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
AP controllers
NXC2500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021

It's highly recommended that users install necessary firmware updates to mitigate the risk associated with the flaw for those listed.