Hard-coded account in ZyXel equipment

“Zyfwp,” an admin-level account with a hard-coded password, discovered in several networking devices made by ZyXel.

This past Christmas, researcher Niels Teusink of the Dutch company EYE reported a vulnerability in Zyxel equipment: an undocumented admin-level account called “zyfwp” with a hard-coded password in a number of hardware firewalls and wireless controllers. The firmware code contains the password, which is unencrypted. Owners are urgently advised to update their firmware.

What are the risks?

The account permits an outsider to connect to the device through a Web interface or the SSH protocol, obtaining admin-level access. The account cannot be disabled, and the password cannot be changed. In other words, you cannot eliminate the vulnerability by changing the device settings.

Particularly dangerous, according to Teusink, is some devices’ use of port 443 for SSL VPN in addition to its normal use for Web-interface access. Thus, on a number of networks, the port is open to access from the Internet. Remote access to corporate resources is in particularly high demand these days, with many employees around the world working from home during the coronavirus pandemic.

The VPN gateway enables users to create new accounts for accessing resources inside the corporate perimeter. The vulnerability may also allow attackers to reconfigure the device and to block or intercept traffic.

The researcher refrained from publishing the password for reasons of ethics and security, but his message explains where to find it, so several cybersecurity resources have already made it public. Even unskilled hackers can now exploit the vulnerability, which makes the situation particularly precarious.

Which devices are vulnerable?

The vulnerability affects ATP, USG, USG FLEX, and VPN series small-business firewall devices with the firmware version ZLD v4.60. The full list of models that need an immediate firmware update, along with links to relevant patches, is available on the ZyXel website.

The list of vulnerable devices also includes NXC2500 and NXC5500 wireless network controllers with firmware versions v6.00 through v6.10, but patches for them are not ready yet. ZyXel promises a January 8 release.

The vulnerability does not affect older firmware versions, but that does not mean those owners have nothing to fear. New firmware is created for a reason — often more than one — and keeping devices updated helps keep them safe.

What to do

For starters, immediately update the firmware of any vulnerable device with the patches available on ZyXel’s forums. If no patches are available for your devices yet, monitor the forums closely and apply the update as soon as it’s released.

On top of that, we recommend employing strong workstation security; employees’ computers need to be protected before an attacker potentially gains access to the corporate network.