UPDATED 21:33 EST / JANUARY 03 2021


Serious security vulnerability discovered in Zyxel network devices

A serious security vulnerability has been discovered in firewalls, virtual private network gateways and access point controllers manufactured by Zyxel Communications Corp.

Detailed last month by security researchers at Dutch cybersecurity firm Eye Control, the vulnerability is believed to affect more than 100,000 devices manufactured by the company, according to a report Saturday on ZDNet. The vulnerability involves the devices having a hardcoded administrative-level backdoor account that can grant attackers root access to devices either with SSH or a web administration panel.

Given the hardcoded username and password, hackers can gain access to networks using Zyxel devices. “Someone could, for example, change firewall settings to allow or block certain traffic,” Eye Control researcher Niels Teusink states. “They could also intercept traffic or create VPN accounts to gain access to the network behind the device.”

The vulnerability is found in Zyxel’s ATP, USG, USG Flex, VPN series and NXC series devices.

While not a household name, Zyxel is a Taiwan-based company that manufactures networking devices primarily used by small to medium-sized businesses. The company actually has a surprisingly remarkable list of firsts: It was the first company in the world to design an analog/digital ISDN modem, the first with an ADSL2+ gateway and the first to offer a palm-sized portable personal firewall, among other achievements.

This isn’t the first time vulnerabilities have been found in Zyxel devices, however. A study from the Fraunhofer Institute for Communication in July named Zyxel along with AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. and AVM Computersysteme Vertriebs GmbH as having a range of security issues.

Zyxel has addressed the vulnerability, formally called CVE-2020-29583, in an advisory and has issued a patch to fix the issue. In the advisory, the company noted that the hardcoded “zyfwp” user account was designed to deliver automatic firmware updates to connected access points through FTP.

Users of affected Zyxel devices are advised to install the applicable firmware updates for optimal protection.

Image: Zyxel

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.