Backdoor account found in more than 100,000 Zyxel firewalls, VPN gateways


The username and password (zyfwp/PrOw!aN_fXp) were visible in one among the Zyxel firmware binaries.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account which will grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is taken into account as bad because it gets in terms of vulnerabilities.

Device owners are advised to update systems as soon as time permits.

Security experts warn that anyone starting from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.

Affected modules include many enterprise-grade devices

Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.

This includes Zyxel product lines such as:

  • the Advanced Threat Protection (ATP) series – used primarily as a firewall
  • the Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
  • the USG FLEX series – used as a hybrid firewall and VPN gateway
  • the VPN series – used as a VPN gateway
  • the NXC series – used as a WLAN access point controller

Many of those devices are used at the sting of a company’s network and, once compromised, allow attackers to pivot and launch further attacks against internal hosts.

Patches are currently available just for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, consistent with a Zyxel security advisory.

Backdoor account was easy to discover

Installing patches removes the backdoor account, which, consistent with Eye Control researchers, uses the “zyfwp” username and therefore the “PrOw!aN_fXp” password.

“The plaintext password was visible in one among the binaries on the system,” the Dutch researchers said during a report published before the Christmas 2020 holiday.

Researchers said the account had root access to the device because it had been getting used to putting in firmware updates to other interconnected Zyxel devices via FTP.


In an interview in the week , IoT security researcher Ankit Anubhav said that Zyxel should have learned its lesson from a previous incident that happened in 2016.

Tracked as CVE-2016-10401, Zyxel devices released at the time contained a secret backdoor mechanism that allowed anyone to elevate any account on a Zyxel device to root level using the “zyad5001” SU (super-user) password.

“It was surprising to ascertain yet one more hard coded credential specially since Zyxel is cognizant that the last time this happened, it had been abused by several botnets,” Anubhav told.

“CVE-2016-10401 remains within the arsenal of most password attack based IoT botnets,” the researcher said.

But this time around, things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.

Anubhav told that while the 2016 backdoor mechanism required that attackers first have access to a low-privileged account on a Zyxel device — in order that they can elevate it to root —, the 2020 backdoor is worse because it can grant attackers direct access to the device with none special conditions.

“In addition, unlike the previous exploit, which was utilized in Telnet only, this needs even lesser expertise together can directly try the credentials on the panel hosted on port 443,” Anubhav said.

Furthermore, Anubhav also points out that the majority of the affected systems also are very varied, compared to the 2016 backdoor issue, which only impacted home routers.

Attackers now have access to a wider spectrum of victims, most of which are corporate targets, because the vulnerable devices are primarily marketed to companies as how to regulate who can access intranets and internal networks from remote locations.


This is an enormous deal within the bigger picture because vulnerabilities in firewalls and VPN gateways are one among the first sources of ransomware attacks and cyber-espionage operations in 2019 and 2020.

Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been exploited to attack companies and government networks.

The new Zyxel backdoor could expose an entire new set of companies and government agencies to an equivalent sort of attack that we have seen over the past two years.



Please enter your comment!
Please enter your name here