Skip to main content

Zyxel VPN found to have major security flaws

(Image credit: Shutterstock / Golden Sikorka)

At least a hundred thousand Zyxel devices have been shipped with a hardcoded admin-level backdoor account - a security compromise (opens in new tab) of the highest severity. The vulnerability, later confirmed by the company itself, was first spotted by cybersecurity researchers from Eye Control.

According to their report, the hardcoded account can be used to gain root access to many of Zyxel's devices, some of which are used by enterprises at the edge of their networks. These include firewalls, VPN gateways, and access point controllers.

According to Eye Control, the account had root access to the device because it was being used to install firmware updates to other interconnected Zyxel devices through FTP.

If compromised, the affected devices could be used by criminals to launch DDoS attacks and ransomware operations (opens in new tab), or as a stepping stone to facilitate more complex cyberattacks.

Zyxel has already issued patches for the Advanced Threat Protection (ATP) solutions, Unified Security Gateway (USG) series, USG Flex, and VPN series, with a patch for the WLAN access point controller NXC series coming in April.

Customers are advised to install the relevant patches, which remove the backdoor account.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.