• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Zyxel Adds a Built-in User With A Easy To Find Password

January 11, 2021 By Trevor Collins

Zyxel, a firewall and AP vendor, released a firmware update to their devices that included an unexpected, built-in admin user account called “zyfwp”. Folks in information security often characterize this sort of hidden and hardcoded accounts as a “backdoor” account, even though it is hard to say if the vendors who do this do so intentionally or accidentally.

First found by Eyecontrol, the researchers gained access to a Zyxel device using this built-in user over SSH. They found a firmware update that included the username and password for the account in cleartext, leaking the credentials to anyone who reviews the firmware. As mentioned, this account has administrative access.

A built-in user account like this one allows unauthorized actors full access to the device. Nowadays security devices should never have built-in accounts with a hard-coded password. Since you can’t delete this account, it gives anyone with CLI access the potential to completely control your device. For instance, a malicious hacker could log in to this account and create a VPN to your network, thus bypassing your security and gaining complete access to your local network. They could also leverage the backdoor account to read all Internet traffic going passing through affected devices.

Other hackers have already publicly released the username and password for this account and since every device with the vulnerable firmware installed will accept these credentials, one only needs access to the login page, port 443, or SSH to exploit this against vulnerably Zyxel devices. With local access, they can further exploit any number of vulnerabilities that become much easier to abuse once you’re past gateway defenses. With only a little more effort, they could target and potentially compromise local computers, printers, and other devices, unless meticulously updated. For example, this attack could give external threat actors the avenue to get past gateway security, and directly install ransomware. We always recommend a strong layered defense for this exact reason.

Zyxel firewalls running ZLD V4.60 (unpatched) and AP controllers running V6.00 through V6.10 (unpatched) contain this vulnerable user account. No configuration of the device will remove this account so you must upgrade to “Patch 1”. See how to upgrade here. We don’t recommend downgrading as this may present other vulnerabilities. Over 100,000 Zyxel devices with this vulnerability have the login page exposed to the Internet, and reports suggest that attackers are already scanning and enumerated exposed devices. You should never expose your network appliance’s login page directly to the Internet, but this becomes especially dangerous when it has such a privileged and hardcoded account. If you must allow access from the outside, whitelist IP addresses to access the device or better yet VPN into the device.

Share This:

Related Posts

Filed Under: Editorial Articles Tagged With: Backdoor, Zyxel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • The Hack of the Decade
  • Understanding Fileless Malware Outside the Network 
  • 11 High Severity Vulnerabilities found in Nvidia Software
  • Zyxel Adds a Built-in User With A Easy To Find Password

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 11 High Severity Vulnerabilities found in Nvidia Software
  • Zyxel Adds a Built-in User With A Easy To Find Password
  • The Hack of the Decade
  • Channel Partner Insight Names WatchGuardONE Security Partner Program of the Year
  • Understanding Fileless Malware Outside the Network 
View All

Search

Archives

Copyright © 2021 WatchGuard Technologies · Privacy Policy · Terms of Use