![]() ![]() ![]() While doing research on his personal Zyxel firewall, the security researcher discovered not only that the problematic user account exists with hardcoded credentials, but also that the account works both on SSH and the web interface. The account was designed for the delivery of automatic firmware updates through FTP and is present on Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices. Identified by EYE security researcher Niels Teusink, the vulnerability exists because the password for the “zyfwp” user account was stored in plaintext and was visible in one of the binaries on the system. Several Zyxel firewall and WLAN controller products contain hardcoded credentials for an undocumented user account that has admin privileges. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |