Threat actors have been detected to be targeting Zyxel’s firewall and WLAN controller products that contain an undocumented account with an unchangeable password, which can be found in cleartext in the product’s firmware. Tracked as CVE-2020-29583, a hardcoded credential vulnerability that exists in Zyxel firewalls and AP controllers with an unchangeable static plain-text password and administrative privilege. Successful exploitation of the flaw could allow an attacker to access this user account remotely and compromise affected Zyxel devices. The account was designed to deliver automatic firmware updates to connected access points through FTP. Moreover, it could allow the attacker to change firewall settings, intercept
traffic, create VPN accounts to gain access to the network behind the device, and other administrative functions.
A. Nature of the Attack
What are the affected versions of this vulnerability:
- Advanced Threat Protection (ATP) series running firmware ZLD V4.60
- Unified Security Gateway (USG) series running firmware ZLD V4.60
- Unified Security Gateway (USG) FLEX series running firmware ZLD V4.60
- Virtual Private Network (VPN) series running firmware ZLD V4.60
- NXC2500 running firmware V6.00 through V6.10
- NXC5500 running firmware V6.00 through V6.10
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
Immediately test and apply the corresponding patched firmware versions of the affected products from the latest security update published by Zyxel.