If you are using ZyXEL, better patch and pray…

CYBERS 04.01.2021

If you are using ZyXEL, better patch and pray…

If you remember Edward Snowden, then you probably may remember him revealing that Cisco and a few others were regularly putting backdoors into their routers and firewalls. Well, there is yet another firewall and infrastructure device vendor, which was discovered to do the same recently ZyXEL.

According to recent (Merry Christmas & Happy New Year!) research by a Dutch cybersecurity company Eye Control, there is a secret user account “zyfwp” added into customer’s firewalls by a firmware patch 4.6. If that wasn’t bad enough, then the password for that new account is actually quite easily obtainable.

We will not list the password here, but it looks like a short version of “professional wide open area network experience”.

We have also reached out to CERT-EE, the cybersecurity centre of Information System Authority of Estonia and got a clear suggestion from it’s Executive Director, Tõnu Tammer:

“Security vulnerabilities are regularly found in many products and those are described with official CVE’s(Common vulnerability and exposure). However, it’s also important to understand (and we know it well) that some vulnerabilities are not officially acknowledged and companies deploy software updates with those unofficial vulnerabilities. So, I advise all companies to regularly update the products they use but not to expect that the newest version will be free of security holes or some sort of asylum.”

So, if you are using ZyXEL advanced threat protection (ATP), ZyXEL unified security gateway (USG) and/or ZyXWALL, VPN or USG Flex make sure to patch. According ZyXEL’s own website, most of the products can be patched to remove this security disaster with the latest December patch. The only ones left vulnerable until January are ZyXEL NXC AP controllers.

Unfortunately, the practice of leaving backdoors and unprotected accounts is still rampant and it if you want your firewalls to be safe, make sure that none of these security vulnerabilities are left:

  • Make sure that admin accounts are not “default” after every patch
  • Deploy identity & access management practice/tools
  • Ask your security partner to keep track of Darknet & security forums
  • Use Network Detection and Response (NDR) for spotting abnormal traffic

CYBERS is helping many companies solving issues like this by providing a 24/7 Security Operations Centre (SOC) and reviewing cyber security in place.
Please contact us if you are an existing ZyXEL customer and our team will help you react to this issue.





Latest blog posts


Cybersecurity as part of defense measures against modern war fighting capabilities

CYBERS in cooperation with Recorded Future will share insights on the ongoing cyber crisis which started several months before the military invasion. This article provides an overview of the current situation, as well as the recommended emergency actions that should be taken by organizations to withstand this cyber conflict.

Keep reading

Testing and identifying the value of your next cybersecurity solution

The security world is changing rapidly and we are slowly reaching another huge milestone. Not a very happy one though: manual security operations are no longer sufficient. This is a little bit painful to admit but the fact remains: if you rely on the manual labour of CTOs, CISOs and their teams to react to an incident, then you are in for a very rude awakening.

Keep reading

Are you at risk from the security vulnerability found in the Java-based Apache Log4j logging feature?

A security hole was discovered in the Java-based Log4j logging feature, affecting millions of businesses, government agencies, and cloud services using this popular Apache library. Are you at risk?

Keep reading