More than 100.000 Zyxel firewalls, VPN gateways and access point controllers contain a backdoor administrator-level account with a hard-coded password accesss.
The built-in account can grant access to any attacker via SSH or through the web administration panel.
The backdoor account, discovered by a team Dutch security researchers at Eye Control, it is considered too dangerous.
So all device owners are advised to update their systems immediately.
Security experts warn that every botnet for DDoS, groups hacking and ransomware gangs can abuse this backdoor to access vulnerable devices and browse internal networks for additional attacks.
Affected models include many of Zyxel's top products from the line of professional-grade devices commonly found in private corporate and government networks.
Be careful if you have the following series Zyxel products:
- Advanced Threat Protection (ATP) series - firewall
- Unified Security Gateway (USG) series - hybrid firewall and VPN gateway
- USG FLEX series - hybrid firewal and VPN gateway
- VPN series - VPN gateway
- NXC series - WLAN access point controller
Updates are currently only available for the ATP, USG, USG Flex and VPN series. The NXC series is expected in April 2021, according with Zyxel.