Cybercrime

Hackers Exploiting Recently Disclosed Zyxel Vulnerability

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

Ionut Arghire

January 5, 2021

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

The attacks, currently small in numbers, target CVE-2020-29583, a vulnerability affecting several Zyxel firewalls and WLAN controllers that was publicly disclosed at the end of December.

Firmware updates that remove the bug are already available for some of the affected products, but attackers are seizing the moment, attempting to find vulnerable devices before patches have been applied.

Discovered by EYE security researchers, the issue impacts Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices and exists because the password for the undocumented user account zyfwp is stored in the firmware in plaintext.

The account is meant for the automatic delivery of firmware updates over FTP and has admin privileges. Thus, attacks targeting vulnerable devices could lead to the compromise of entire networks, researchers warn.

Starting January 3, security researchers at GreyNoise, a company that collects and analyzes Internet-wide scan and attack data, observed the first attempts to exploit this so-called “backdoor account” on Zyxel devices, and they say the attacks do not appear to be targeted in nature, but rather opportunistic.

“Yesterday we saw one device start opportunistically attempting to login to servers on the internet over SSH using the ‘backdoor’ username and password disclosed by Zyxel for CVE-2020-29583. Today, we saw two more, bringing us to a total of three (3) devices,” GreyNoise founder Andrew Morris told SecurityWeek via email.

Zyxel exploit

While these are clear attempts to find and compromise vulnerable Zyxel devices that are exposed to the Internet, attribution is not as straightforward.

“One or more individuals, groups, organizations, or botnet operators” could be behind the attempts, Morris pointed out.

Written By Ionut Arghire

Ionut Arghire is an international correspondent for SecurityWeek.

Latest News

Click to comment

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George

Why CISOs Make Great Board Members

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

Galina Antova

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Marie Hattar