[ALUG] Hardcoded password in Zyxel firmware.
Andreas Tauscher
ta at geuka.net
Fri Jan 8 21:47:00 EAT 2021
If you have a Zyxel device of the USG, ATP, VPN, ZyWALL or USG FLEX
series, you should check the firmware version as soon as possible.
Zyxel has coded in an access account with a fixed user name zwyfp and
password into ZLD V4.60, which can be used to change the software of the
devices.
The account is not visible in the account management, and the password
cannot be changed. The access data allow access via SSH as well as the
web interface.
If you have the firmware version ZLD V4.60 you should immediately to ZLD
V4.60 Patch 1
https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
Firmware version V6.10 of the WLAN access point controllers NXC2500 and
NXC5500 is also affected.
Grettings
Andreas
More information about the Linux
mailing list