Security researchers from Dutch security company Eye Control have discovered a backdoor account in the firmware for multiple Zyxel enterprise networking devices. Affected products include:
- Advanced Threat Protection (ATP) series
- Unified Security Gateway (USG) series
- USG FLEX series
- VPN series
- NXC series
The username and password needed to access these devices via SSH or the web interface has been published, and will likely be abused by many threat actors, even those with low skill levels. As devices meant to sit on the edge of the network, backdoor accounts could have devastating consequences, allowing attackers make changes or pivot to hosts inside the network. If an attacker uses this vulnerability to gain access inside a corporate network with domain controllers vulnerable to ZeroLogon, for example, it could lead to complete domain takeover. Patches are currently available for all of the devices mentioned above except the NXC series which is expected to receive a patch in April.
All network administrators are advised to apply the available patches to these devices as soon as possible to remove the account. This is not the first time Zyxel devices have had added backdoor accounts to their devices; in 2016, CVE-2016-10401 a backdoor was discovered allowing any account to elevate to the root-level privileges using the “zyad5001” password. This most recent account was used for installing firmware updates to other connected devices, according to the researchers at Eye Control.