Skip to main content

Hackers are actively exploiting this leading VPN, so patch now

security
(Image credit: Shutterstock / binarydesign)

Cybercriminals are now actively exploiting a major security vulnerability identified in products shipped by networking firm Zyxel, researchers have discovered.

According to Dutch company Eye Control, an admin-level backdoor account hardcoded into the company’s VPN hardware, as well as its firewalls and access point controllers, could grant attackers access to internal networks and provide a platform for further attacks.

“As the user has admin privileges, this is a serious vulnerability,” said Niels Teusink, a senior cybersecurity specialist at Eye Control. “An attacker could completely compromise the confidentiality, integrity and availability of the device.” 

Since the vulnerability came to light, security firm GreyNoise has identified three separate IP addresses scanning the web for devices using the SSH protocol (a vector for infiltrating the affected Zyxel hardware).

Once the attackers identified an SSH device, they attempted to log-in using the compromised backdoor account credentials.

Zyxel VPN security flaw

Researchers estimate that the vulnerability, which is as serious as they come, is present in circa 100,000 Zyxel devices. The affected products are as follows:

  • Advanced Threat Protection (ATP) series
  • Unified Security Gateway (USG) series
  • USG FLEX series
  • VPN series
  • NXC series

If compromised successfully, these devices could allow the attacker to block traffic or fiddle with firewall settings in preparation for a secondary attack.

“They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon, this could be devastating to small and medium businesses,” added Teusink.

Zyxel released a patch for the majority of affected devices last month, with the exception of the NXC series, but the knowledge that attackers are actively seeking to exploit the flaw now adds an additional element of urgency.

As such, all affected organizations are advised to install the relevant updates as soon as possible, to shield against potential attack.

Via Bleeping Computer

Joel Khalili

Joel Khalili is a Staff Writer working across both TechRadar Pro and ITProPortal. He's interested in receiving pitches around cybersecurity, data privacy, cloud, storage, internet infrastructure, mobile, 5G and blockchain.