CVE-2020-29583: Secret Backdoor Account in Several Zyxel Firewall, VPN Products

Recently, Niels Teusink, a security researcher from EyeControl, a Dutch network security company, discovered that more than 100,000 Zyxel’s firewalls, access point controllers, and VPN gateway products have administrator-level backdoor accounts. These administrator-level accounts hard-coded in the binary code allow an attacker to gain root access to the device through the web management panel or SSH interface. Zyxel is a network equipment manufacturer located in Taiwan.

The backdoor found in the Zyxel firmware is a critical firmware vulnerability, with a CVE number CVE-2020-29583 and a score of 7.8 CVSS. Although the CVSS score may not seem very high, it should not be underestimated. The researcher said that this is an extremely serious vulnerability and the user must update his system immediately. Because anyone can easily exploit this vulnerability, from DDoS botnet operators to ransomware groups and government-funded hackers.

By abusing backdoor accounts, cybercriminals can access vulnerable devices and infect internal networks to launch other attacks. An attacker can log in to the device with administrative privileges and easily damage the network device.

Teusink notified Zyxel of the vulnerability information on November 29. On December 18, Zyxel released the firmware patch “ZLD V4.60 Patch1”. The patch is currently available for the USG FLEx series, ATP series, USG, and VPN series. The NCX series of patches will be released in April 2021.