Security experts have uncovered a vulnerability in over a 100,000 dedicated Zyxel firewalls, access point controllers and VPN gateways.

The hardcoded backdoor accounts identified have administrator-level permissions and can potentially offer threat operators the ability to access network devices using a web admin panel or the SSH interface.

A weakness revealed by security researchers

A Dutch team of researchers at FireEye partner Eye Control discovered the backdoor account and have advised all device owners to upgrade their systems and apply available patches as swiftly as possible. The security specialists have warned all users that threat actors such as hackers, ransomware groups, state-run cybercriminal operations and botnet masters could all potentially access devices using the backdoor account. After successfully invading devices, attacks could then spread to internal networks for larger assaults.

The affected Zyxel models include multiple devices designed for enterprises. A wide range of products from the company’s top range of business-grade solutions, many of them employed by networks of both governments and private firms, has already been identified as featuring the vulnerability. These include, Unified Security Gateway (USG) series, the Advanced Threat Protection (ATP) series, the VPN series, the USG FLEX series and the NXC series.

As these solutions are typically deployed at the edge of an enterprise’s network, they can cause considerable harm if compromised, leading to cybercriminals unleashing further attacks on company infrastructure. At present security patches are only available for the VPN, ATP, USG Flex and USG series according to an advisory issued by Zyxel, but further resolutions are expected by April for the NXC series.

Researchers at Eye Control have commented that installing the available patches will effectively remove the backdoor account and resolve the vulnerability. They also stated that the backdoor account was given root access to devices as it was utilised for the installation of firmware updates via FTP to other linked Zyxel devices.

Zyxel’s 2016 security incident

This is not the first backdoor issue Zyxel has encountered to date, with a previous incident occurring back in 2016. A weakness that was tracked under the name “CVE-2016-10401” in devices released that year from Zyxel included an unseen backdoor function that empowered an individual to raise account access level on devices using a super-user password: “zyad5001”. According to researchers, to this day, CVE-2016-10401 is still employed by threat operators running botnets that strike out at companies via password-type attacks.

The recent account backdoor leaves devices far more vulnerable than the issue identified back in 2016, however. Unlike, the hardcoded credential vulnerability previously discovered that required attackers to at least have an account with low privileges they could elevate, the new backdoor provides threat operators with access without any defined conditions.

The new exploit is also far easier for attackers to abuse than the 2016 backdoor and can be accessed simply by entering credentials on the port 443 hosted panel. Additionally, while the first Zyxel vulnerability only affected home routers, this latest security risk has impacted a wide range of targets including enterprises operating in the corporate sector.