Leading VPN service found to have major backdoor security hole

News
By published

Damaging security vulnerability found to be affecting Zyxel devices, including the company's VPN tool

VPN
(Image credit: Shutterstock / Elaine333)

A major security vulnerability has been discovered in one of the most poular VPN offerings around today.

Security personnel at Dutch firm Eye Control found an admin-level backdoor account that could grant attackers root access to users of Zyxel’s VPN services, as well as firewalls and access point controllers managed by the firm.

The backdoor account uses a username and password that both were visible in plain text within Zyxel system binaries running firmware version 4.60, patch 0. The credentials allowed an individual to gain root access to the Zyxel device in question and worked on both the SSH and web interface access portal.

“As the user has admin privileges, this is a serious vulnerability,” Niels Teusink, a senior cybersecurity specialist at Eye Control, explained. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”

Patches on the way

Eye Control researchers estimate that around 100,000 Zyxel devices are affected by the vulnerability, which appears to have been introduced by the latest firmware update. Affected Zyxel products include the Advanced Threat Protection series of devices, the company’s NXC series of devices, its VPN gateways, and a fair few more.

Patches are available for a number of the compromised devices and further updates are expected by April to provide additional fixes. Users of all Zyxel devices are advised to install the latest updates in order to plug the newly discovered flaw.

The Zyxel vulnerability is particularly worrying given that it affects firewalls and VPN gateways. This means that the flaw could potentially be exploited by other attackers to inject ransomware or conduct other malicious activities.

Via ZDNet

TOPICS
Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in VPN Privacy & Security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Latest in News
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
More about vpn privacy security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background

How to check if your VPN is working
DJI Mavic 3 Pro

More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
See more latest
Most Popular
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De'Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable