If you have a USG series Zyxel, ATP, VPN, ZyWALL or USG FLEX device, you should check the firmware version as soon as possible. In ZLD V4.60, Zyxel has an access account with a fixed username
zwyfp And a fixed password with which the hardware software can be changed. To make matters worse, this access data was visible in plain text in a binary file.
The account cannot be seen in the account management, and the password cannot be changed. Credentials allow access via SSH and web interface. This was discovered on behalf of CVE-2020-29583 The barn door registered is open from Niels Teusink of Dutch IT security company EYE End of November 2020. According to Zyxel Networks, a security hole has been created for automatic firmware updates via FTP. SD-OS VPN series devices are not affected.
The AP NXC controller has also been affected – the correction won’t take place until April
Since permanently programmed access data is a really bad idea, Zyxel has pulled the ZLD firmware version V4.60 and Replaced by ZLD V4.60 Patch 1. However, firmware version V6.10 for WLAN NXC2500 and NXC5500 AP controllers is also affected. Since Zyxel doesn’t want to provide the correction until April, good advice is expensive.
The EYE sample showed that about ten percent of Zyxel USG / ATP / VPNs with Dutch IP addresses use infected firmware. More than 10,000 devices are expected to be affected worldwide – a blow to bot operators and other criminals.