Zyxel Hardcoded Backdoor Account Vulnerability
On December 23rd, 2020, the Dutch security firm Eye disclosed a hardcoded backdoor account within the firmware 4.60 on Zyxel Firewalls and AP Controllers. The credentials for this account cannot be changed or altered unless the firmware is patched. These hardcoded credentials provide access to both SSH and web admin interfaces, where additional internal network access can then be gained by malicious actors. This vulnerability has been assigned CVE-2020-2958. Affected Firewalls are ATP, USG, USG FLEX, and VPN’s running 4.60, and affected AP Controllers are NXC2500 and NXC5500 running firmware versions 6.00 through 6.10. The Firewall systems have a patch available at this time and the AP Controllers will have a patch available on Jan 8th, 2021. Please patch as soon as possible to mitigate, or if not possible, consider filtering access to SSH and web admin interfaces. For more information, please see https://www.zyxel.com/support/CVE-2020-29583.shtml.
Frontline.Cloud Frontline VM will include a check for this vulnerability in release 22.214.171.124. Until released, administrators are encouraged to test for this vulnerability manually by attempting to login with the username of “zyfwp” and password of “PrOw!aN_fXp” on either SSH or via the web interface.