Hidden Backdoor Identified in 100,000 Zyxel Devices

A vulnerability has been identified in Zyxel devices such as VPN gateways, firewalls, and access point (AP) controllers that could be exploited by threat actors to gain remote administrative access to the devices. By exploiting the vulnerability, threat actors would be able to make changes to firewall settings, allow/deny certain traffic, intercept traffic, create new VPN accounts, make internal services publicly accessible, and gain access to internal networks behind Zyxel devices. Around 100,000 Zyxel devices worldwide have the vulnerability.

Zyxel manufacturers networking equipment and its devices are popular with small to medium sized businesses and are also used by large enterprises and government agencies.

The vulnerability, tracked as CVE-2020-29583, was identified by Niels Teusink of the Dutch cybersecurity firm EYE, who discovered a hidden user account in the latest version of Zyxel firmware (4.60 patch 0).  The user account, zyfwp, which was not visible in the user interface of the products, was discovered to have a hardcoded plain-text password which Teusink found in one of the product binaries. The hardcoded administrative password was introduced in the latest version of the firmware.

Teusink was able to use the credentials to login to vulnerable devices over SSH and the web interface. Since the password is hardcoded, users of the devices are unable to change the password. An attacker could use the credentials to login remotely and compromise a vulnerable Zyxel device.

“As SSL VPN on these devices operates on the same port as the web interface, a lot of users have exposed port 443 of these devices to the internet,” said Teusink.

The vulnerability was reported to Zyxel and a patch has been released to correct the flaw. Zyxel explained that the account had been included to allow the company to deliver automatic firewall updates to connected access points through FTP.

The flaw is present in several Zyxel products including the Zyxel Advanced Threat Protection (APT) firewall, Unified Security Gateway (USG), USG Flex, and VPN version 4.60 and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an alert about the vulnerability which was rated high risk for large and medium government entities and large and medium business entities, and medium risk for small government entities and small business entities.

All users of the vulnerable products have been advised to apply the patch as soon as possible to prevent exploitation. While there have not been any reported cases of exploitation of the vulnerability in the wild, exploitation of the flaw is likely.

Affected product series Patch available in
ATP series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60 ZLD V4.60 Patch1 in Dec. 2020
AP controllers


NXC2500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10 V6.10 Patch1 on Jan. 8, 2021

MS-ISAC has made the following recommendations to mitigate the threat.

  • Apply appropriate updates provided by Zyxel to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.