Zyxel, a firewall and AP vendor, released a firmware update to their devices that included an unexpected, built-in admin user account called “zyfwp”. Folks in information security often characterize this sort of hidden and hardcoded accounts as a “backdoor” account, even though it is hard to say if the vendors who do this do so intentionally or accidentally.
First found by Eyecontrol, the researchers gained access to a Zyxel device using this built-in user over SSH. They found a firmware update that included the username and password for the account in cleartext, leaking the credentials to anyone who reviews the firmware. As mentioned, this account has administrative access.
A built-in user account like this one allows unauthorized actors full access to the device. Nowadays security devices should never have built-in accounts with a hard-coded password. Since you can’t delete this account, it gives anyone with CLI access the potential to completely control your device. For instance, a malicious hacker could log in to this account and create a VPN to your network, thus bypassing your security and gaining complete access to your local network. They could also leverage the backdoor account to read all Internet traffic going passing through affected devices.
Other hackers have already publicly released the username and password for this account and since every device with the vulnerable firmware installed will accept these credentials, one only needs access to the login page, port 443, or SSH to exploit this against vulnerably Zyxel devices. With local access, they can further exploit any number of vulnerabilities that become much easier to abuse once you’re past gateway defenses. With only a little more effort, they could target and potentially compromise local computers, printers, and other devices, unless meticulously updated. For example, this attack could give external threat actors the avenue to get past gateway security, and directly install ransomware. We always recommend a strong layered defense for this exact reason.
Zyxel firewalls running ZLD V4.60 (unpatched) and AP controllers running V6.00 through V6.10 (unpatched) contain this vulnerable user account. No configuration of the device will remove this account so you must upgrade to “Patch 1”. See how to upgrade here. We don’t recommend downgrading as this may present other vulnerabilities. Over 100,000 Zyxel devices with this vulnerability have the login page exposed to the Internet, and reports suggest that attackers are already scanning and enumerated exposed devices. You should never expose your network appliance’s login page directly to the Internet, but this becomes especially dangerous when it has such a privileged and hardcoded account. If you must allow access from the outside, whitelist IP addresses to access the device or better yet VPN into the device.