At least a hundred thousand Zyxel devices have been shipped with a hardcoded admin-level backdoor account - a security compromise of the highest severity. The vulnerability, later confirmed by the company itself, was first spotted by cybersecurity researchers from Eye Control.
According to their report, the hardcoded account can be used to gain root access to many of Zyxel's devices, some of which are used by enterprises at the edge of their networks. These include firewalls, VPN gateways, and access point controllers.
According to Eye Control, the account had root access to the device because it was being used to install firmware updates to other interconnected Zyxel devices through FTP.
If compromised, the affected devices could be used by criminals to launch DDoS attacks and ransomware operations, or as a stepping stone to facilitate more complex cyberattacks.
Zyxel has already issued patches for the Advanced Threat Protection (ATP) solutions, Unified Security Gateway (USG) series, USG Flex, and VPN series, with a patch for the WLAN access point controller NXC series coming in April.
Customers are advised to install the relevant patches, which remove the backdoor account.