It turned out that the passwords of a secret account that Zyxel used to send automatic updates were saved in plain text and cannot be changed. The firm has prepared its patches.
Undoubtedly, one of the most important problems of software developing platforms is overlooked vulnerabilities. The situation can become even more critical if this software is used in a wide range of products. Zyxel has been dealing with a hidden backdoor exploit lately.
Included in many Zyxel products
A critical vulnerability was found in many firewalls, VPN firewalls and access point controllers belonging to Zyxel, one of the important names in the network equipment market. This vulnerability is about a secret account that will take over administrative privileges.
The integrated firewall of the open company with the serial number CVE-2020-29583 detected in the 4.60 version of the Zyxel user interface – affects a wide range of products such as USG, USG FLEX, ATP and VPN firewall.
The company uses this account, called zyfwp, to send automatic updates to connected access points, but PrOw! AN_fXp poses a great risk as the unchangeable password is stored in plain text.
The EYE security company reported the vulnerability to Zyxel on November 29, and the company quickly started patchwork. The patch was released for the devices listed above on December 18, but a patch will be released for access point products by April 2021 at the earliest.