Connect with us

Hi, what are you looking for?



Hackers Exploiting Recently Disclosed Zyxel Vulnerability

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials.

The attacks, currently small in numbers, target CVE-2020-29583, a vulnerability affecting several Zyxel firewalls and WLAN controllers that was publicly disclosed at the end of December.

Firmware updates that remove the bug are already available for some of the affected products, but attackers are seizing the moment, attempting to find vulnerable devices before patches have been applied.

Discovered by EYE security researchers, the issue impacts Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices and exists because the password for the undocumented user account zyfwp is stored in the firmware in plaintext.

The account is meant for the automatic delivery of firmware updates over FTP and has admin privileges. Thus, attacks targeting vulnerable devices could lead to the compromise of entire networks, researchers warn.

Starting January 3, security researchers at GreyNoise, a company that collects and analyzes Internet-wide scan and attack data, observed the first attempts to exploit this so-called “backdoor account” on Zyxel devices, and they say the attacks do not appear to be targeted in nature, but rather opportunistic.

“Yesterday we saw one device start opportunistically attempting to login to servers on the internet over SSH using the ‘backdoor’ username and password disclosed by Zyxel for CVE-2020-29583. Today, we saw two more, bringing us to a total of three (3) devices,” GreyNoise founder Andrew Morris told SecurityWeek via email.

Advertisement. Scroll to continue reading.

Zyxel exploit

While these are clear attempts to find and compromise vulnerable Zyxel devices that are exposed to the Internet, attribution is not as straightforward.

“One or more individuals, groups, organizations, or botnet operators” could be behind the attempts, Morris pointed out.

Related: Hardcoded Credentials Expose Zyxel Firewalls, WLAN Controllers to Remote Attacks

Related: Over 20 Zyxel Firewalls Impacted by Recent Zero-Day Vulnerability

Related: Many Backdoors Found in Zyxel CloudCNM SecuManager Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...