UPDATED 21:33 EDT / JANUARY 03 2021


Serious security vulnerability discovered in Zyxel network devices

A serious security vulnerability has been discovered in firewalls, virtual private network gateways and access point controllers manufactured by Zyxel Communications Corp.

Detailed last month by security researchers at Dutch cybersecurity firm Eye Control, the vulnerability is believed to affect more than 100,000 devices manufactured by the company, according to a report Saturday on ZDNet. The vulnerability involves the devices having a hardcoded administrative-level backdoor account that can grant attackers root access to devices either with SSH or a web administration panel.

Given the hardcoded username and password, hackers can gain access to networks using Zyxel devices. “Someone could, for example, change firewall settings to allow or block certain traffic,” Eye Control researcher Niels Teusink states. “They could also intercept traffic or create VPN accounts to gain access to the network behind the device.”

The vulnerability is found in Zyxel’s ATP, USG, USG Flex, VPN series and NXC series devices.

While not a household name, Zyxel is a Taiwan-based company that manufactures networking devices primarily used by small to medium-sized businesses. The company actually has a surprisingly remarkable list of firsts: It was the first company in the world to design an analog/digital ISDN modem, the first with an ADSL2+ gateway and the first to offer a palm-sized portable personal firewall, among other achievements.

This isn’t the first time vulnerabilities have been found in Zyxel devices, however. A study from the Fraunhofer Institute for Communication in July named Zyxel along with AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. and AVM Computersysteme Vertriebs GmbH as having a range of security issues.

Zyxel has addressed the vulnerability, formally called CVE-2020-29583, in an advisory and has issued a patch to fix the issue. In the advisory, the company noted that the hardcoded “zyfwp” user account was designed to deliver automatic firmware updates to connected access points through FTP.

Users of affected Zyxel devices are advised to install the applicable firmware updates for optimal protection.

Image: Zyxel

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.