If you have a Zyxel device from the USG, ATP, VPN, ZyWALL or USG FLEX series, you should check the firmware version as soon as possible. Zyxel has in ZLD V4. 40 an access account with a fixed user name zwyfp and a fixed password that can be used to change the software of the devices. To make matters worse, these access data were even visible in plain text in a binary file.

The account cannot be seen in the account management, the password cannot be changed. The credentials allow access both via SSH and the web interface. This was discovered as CVE – 2020 – 29583 registered open barn door by Niels Teusink from the Dutch IT security company EYE at the end of November 2020. Zyxel Networks claims to have created the security gap for automatic firmware updates via FTP. Devices of the VPN series running under SD-OS are not affected.

AP controller NXC also affected – patch only in April Because permanently programmed access data is a really bad idea, Zyxel has the firmware version ZLD V4. 60 withdrawn and replaced by ZLD V4. 60 Patch 1. However, firmware version V6 is also affected. 10 of the WLAN access point controller NXC 2500 and NXC 5500. Because Zyxel doesn’t want to provide a patch until April, good advice is expensive. The patches should now appear on January 8th.

A random sample from EYEs showed that around ten percent of the Zyxel USG / ATP / VPN with Dutch IP addresses use the wounded firmware. Projected worldwide could be more than 10. 000 devices will be affected – found food for botnet operators and other culprits.

[UPDATE 04.01.2021 09:40]

Zyxel will point this out in an updated security warning that the security updates for the affected NXC series should now appear earlier (January 8th).

(ds)