Leading VPN service found to have major backdoor security hole

News
By
published

Damaging security vulnerability found to be affecting Zyxel devices, including the company's VPN tool

VPN
(Image credit: Shutterstock / Elaine333)

A major security vulnerability has been discovered in one of the most poular VPN offerings around today.

Security personnel at Dutch firm Eye Control found an admin-level backdoor account that could grant attackers root access to users of Zyxel’s VPN services, as well as firewalls and access point controllers managed by the firm.

The backdoor account uses a username and password that both were visible in plain text within Zyxel system binaries running firmware version 4.60, patch 0. The credentials allowed an individual to gain root access to the Zyxel device in question and worked on both the SSH and web interface access portal.

“As the user has admin privileges, this is a serious vulnerability,” Niels Teusink, a senior cybersecurity specialist at Eye Control, explained. “An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”

Patches on the way

Eye Control researchers estimate that around 100,000 Zyxel devices are affected by the vulnerability, which appears to have been introduced by the latest firmware update. Affected Zyxel products include the Advanced Threat Protection series of devices, the company’s NXC series of devices, its VPN gateways, and a fair few more.

Patches are available for a number of the compromised devices and further updates are expected by April to provide additional fixes. Users of all Zyxel devices are advised to install the latest updates in order to plug the newly discovered flaw.

The Zyxel vulnerability is particularly worrying given that it affects firewalls and VPN gateways. This means that the flaw could potentially be exploited by other attackers to inject ransomware or conduct other malicious activities.

Via ZDNet

TOPICS
Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in VPN Privacy & Security
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still a stellar option for streaming
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Latest in News
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
The logo of the social media app Bluesky is seen on the screen of a mobile phone
Bluesky gets a massive video upgrade to tempt X fans who are frustrated by its cyberattack outages
Acer Aspire 14 AI laptop display showing the Windows 11 login screen
Shock, horror – I’m not going to argue with Microsoft’s latest bit of nagging in Windows 11, as this pop-up is justified
Europe
Apple and Meta set to face fines for alleged breaches of EU DMA
Garmin Forerunner 965 on wrist in the dark
New Garmin leak suggests a release is days away, but don't get your hopes up for the Forerunner 975
Xbox Series X
Xbox is reportedly teaming up with a mystery manufacturer to launch a PC gaming handheld this year
More about vpn privacy security
PrivadoVPN running on an iPhone during TechRadar's VPN tests

Why PrivadoVPN Free is still a stellar option for streaming
In this photo illustration a Google Play logo seen displayed on a smartphone.

Why is there so much spyware hidden in the Play Store?
Where to buy Xbox Series X stock pre-orders

The next Xbox console is reportedly now 'fully in production' and targeting a 2027 release
See more latest
Most Popular
Where to buy Xbox Series X stock pre-orders
The next Xbox console is reportedly now 'fully in production' and targeting a 2027 release
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
The logo of the social media app Bluesky is seen on the screen of a mobile phone
Bluesky gets a massive video upgrade to tempt X fans who are frustrated by its cyberattack outages
Acer Aspire 14 AI laptop display showing the Windows 11 login screen
Shock, horror – I’m not going to argue with Microsoft’s latest bit of nagging in Windows 11, as this pop-up is justified
Europe
Apple and Meta set to face fines for alleged breaches of EU DMA
Garmin Forerunner 965 on wrist in the dark
New Garmin leak suggests a release is days away, but don't get your hopes up for the Forerunner 975
Xbox Series X
Xbox is reportedly teaming up with a mystery manufacturer to launch a PC gaming handheld this year
ExpressVPN's Lightway Turbo upgrade – promo image
Can fast be faster? ExpressVPN promises it’s possible
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games