More than 100.000 Zyxel firewalls, VPN gateways and access point controllers contain an administrator-level backdoor account with an encrypted password.
The built-in account can grant access to any attacker via SSH or through the web administration panel.
The backdoor account, discovered by a team of Dutch Eye Control security researchers, is considered very dangerous.
So all device owners are advised to update their systems immediately.
Security experts warn that any botnet for DDoS, hacking teams and ransomware gangs could abuse this backdoor to access vulnerable devices and browse internal networks for additional attacks.
Affected models include many of Zyxel's top products from the line of professional-grade devices commonly found in private corporate and government networks.
Be careful if you have the following Zyxel product lines:
- Advanced Threat Protection (ATP) series - firewall
- Unified Security Gateway (USG) series - hybrid firewall and VPN gateway
- USG FLEX series - hybrid firewal and VPN gateway
- VPN series - VPN gateway
- NXC series - WLAN access point controller
Updates are currently only available for the ATP, USG, USG Flex and VPN series. The NXC series is expected in April 2021, according with Zyxel.