Taiwan based Zyxel Networks has issued patches for their enterprise grade firewalls after a hard coded credential vulnerability was discovered by security researchers.  The vulnerability provides attackers with root level access over SSH or the Web Administration interface allowing firewall rules to be changed to permit easy access to the network behind the firewall.

Zyxel advises customers to install the available patches as soon as possible in order to protect their networks.

The vulnerability affects several products, including:

• Advanced Threat Protection (ATP) series (firewall)
• Unified Security Gateway (USG) series – (firewall / VPN gateway)
• USG FLEX series – (firewall / VPN gateway)
• VPN series – (VPN gateway)
• NXC series – WLAN access point controller

This is not the first time hard coded credentials have been discovered in Zyxel firmware. Back in 2016 a hard coded password which granted elevation of privilege (via the SU command) on the firewall and was quickly targeted by botnets to attack Zyxel devices visible on the internet.

According to the researcher who discovered the vulnerability, this problem is not an old mistake left in the code from early development testing, the vulnerability was introduced in the last firmware released (version 4.60 patch 0).

Threat actors have now been detected scanning for Zyxel devices on the internet and then attempting to login using the disclosed vulnerable password.  According to cyber intelligence firm Greynoise, at least three threat actors located in China, Russia and Indonesia are now attempting to exploit the vulnerability.