Built-in Backdoor found in Zyxel Routers & Firewalls

Researcher for built-in Backdoor in Zyxel Routers & firewalls


The vulnerability affects many of Zyxel's popular business-class product line, typically deployed on private corporate and government networks.

The devices have a hard-coded zyfwp account with an unchangeable password. An unauthenticated remote attacker could gain access to a vulnerable system via ssh or a web interface using hard-coded credentials and gain administrator privileges. The vulnerability has a maximum severity level of 10 on the CVSS scale.


$ ssh [email protected] Password: PrOw! AN_fXp Router> show users current No: 1 Name: zyfwp Type: admin (...) Router>

According to a Zyxel spokesman, the account was not associated with any malicious activity, but was only used to deliver automatic firmware updates via FTP. Zyxel recommends that you install the appropriate updates immediately. The vulnerability affects many of Zyxel's popular business-class product line, typically deployed on private corporate and government networks. This includes the following devices:

  • Advanced Threat Protection (ATP) series - used primarily as a firewall
  • Unified Security Gateway (USG) series - used as a hybrid firewall and VPN gateway
  • USG FLEX series - used as a hybrid firewall and VPN gateway
  • VPN series - used as VPN gatewayN
  • NXCseries - used as WLAN access point controller
Zyxel was alerted to the issue at the end of November and partially patched the vulnerability on December 18. The vulnerability was fixed in the ZLD V4.60 Patch1 firmware, and for the NXC2500 and NXC5500 access point controllers a patch will be released in April 2021.


Security experts warn that any attacker, from DDoS botnet operators to government-sponsored hacker groups and ransomware gangs, can use this built-in account to access vulnerable devices and further infiltrate internal networks. The problem is aggravated by the fact that the VPN service and the web interface for device management use port 443 by default, which is why many users left port 443 open for external requests and, thus, in addition to the VPN connection point, they also left the ability to access the web. -interface. According to preliminary estimates, more than 100 thousand vulnerable devices with an open 443 port are available on the network.

Last year, Zyxel patched a critical vulnerability in its network attached storage (NAS) already exploited by cybercriminals in real-world attacks. Vulnerability CVE-2020-9054 could allow an unauthorized attacker to remotely execute arbitrary code. This allows an attacker to exploit the vulnerability by including certain characters in the username and injecting commands with web server privileges. It can then use the device's built-in setuid utility to run commands with superuser privileges.