NetworkToolbox news

Oops, they did it again – Zyxel again with hard-coded Backdoor

If one made a mistake, that’s bad but may happen. If one made a mistake twice, there is no excuse.

Zyxel did it again. They placed a fixed username password (zyfwp/PrOw!aN_fXp) backdoor in their most sensitive firewall and VPN products.

In late 2016, Zyxel has been caught for using a hard-coded superuser (su) backdoor password (zyad5001) in their products.

One would usually think that Zyxel would learn from this inexcusable and unacceptable mistake and that buyers would avoid Zyxel in the future.

None of this has happened. Zyxel is selling their devices and appliances like crazy and – believe it or not – they hard coded again a backdoor into their products.This backdoor was found in their Firewalls and VPN Gateways (ATP – Advanced Thread Protection, USB Unified Security Gateway, USG Flex, VPN and NXC WLAN Access Point series).

Thousands of these devices are exposed to the internet and easy to discover by the included Shodan Tool of my App.

A huge number of them are still unpatched and can be accessed using the backdoor credentials and several of them have already been compromised by ransomware.

Hard-coding passwords is one of the silliest things developers can do – not only but especially for security products. If Zyxel developers (and QA department) are that stupid, how can one ever trust in their products again? Especially after this now happened twice. Make your own opinion.

You all have a good and safe start into the new year 2021 – and stay healthy.