Skip to main content

Leading VPN service found to have major backdoor security hole

VPN
(Image credit: Shutterstock / Elaine333)

A major security vulnerability has been discovered in one of the most poular VPN offerings around today.

Security personnel at Dutch firm Eye Control found an admin-level backdoor account that could grant attackers root access to users of Zyxel’s VPN services, as well as firewalls and access point controllers managed by the firm.

The backdoor account uses a username and password that both were visible in plain text within Zyxel system binaries running firmware version 4.60, patch 0. The credentials allowed an individual to gain root access to the Zyxel device in question and worked on both the SSH and web interface access portal.

“As the user has admin privileges, this is a serious vulnerability,” Niels Teusink, a senior cybersecurity specialist at Eye Control, explained. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”

Patches on the way

Eye Control researchers estimate that around 100,000 Zyxel devices are affected by the vulnerability, which appears to have been introduced by the latest firmware update. Affected Zyxel products include the Advanced Threat Protection series of devices, the company’s NXC series of devices, its VPN gateways, and a fair few more.

Patches are available for a number of the compromised devices and further updates are expected by April to provide additional fixes. Users of all Zyxel devices are advised to install the latest updates in order to plug the newly discovered flaw.

The Zyxel vulnerability is particularly worrying given that it affects firewalls and VPN gateways. This means that the flaw could potentially be exploited by other attackers to inject ransomware or conduct other malicious activities.

Via ZDNet