Source: cret@cert.org
ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B20A devices with firmware 1.00AANC0b5, and NBG-418N devices have a default password of 1234 for the admin account, which allows remote attackers to obtain administrative access via unspecified vectors.
Multiple ZyXEL router models are vulnerable to a critical security flaw due to a default, hardcoded password ('1234') for the administrative account. This allows remote attackers to gain complete control of the devices, potentially leading to network compromise, data theft, and denial-of-service conditions.
Step 1: Reconnaissance: The attacker identifies vulnerable ZyXEL devices on the target network or internet using port scanning (e.g., port 80, 8080, 23, 22) and banner grabbing to identify the device model and firmware version. Step 2: Authentication Attempt: The attacker attempts to log in to the router's web interface (or other management interface like Telnet or SSH if enabled) using the default credentials: username 'admin' and password '1234'. Step 3: Successful Access: If the device is vulnerable, the authentication succeeds, granting the attacker administrative access to the router. Step 4: Post-Exploitation: The attacker can then perform various actions, including: modifying network settings (e.g., DNS, routing), intercepting network traffic, installing malware, changing the router's firmware, or launching attacks against other devices on the network.
The vulnerability stems from a fundamental design flaw: the ZyXEL firmware, across multiple device models and firmware versions, ships with a default administrative password ('1234') that is not changed during initial setup. This lack of secure configuration allows attackers to bypass authentication and gain unauthorized access to the router's web interface or other management interfaces. The root cause is the absence of a secure default configuration and the failure to enforce password changes upon first login. The firmware likely uses a simple authentication mechanism that directly compares the provided password with the hardcoded value, without any salting or hashing, making it trivially exploitable.
While no specific APT groups are exclusively known to exploit this vulnerability, it's highly likely that various threat actors, including those seeking initial access, use this vulnerability. This is a low-hanging fruit and a common target. This vulnerability is not listed on the CISA KEV list, but it is a severe vulnerability that could be exploited by any threat actor.
Network traffic analysis: Look for HTTP/HTTPS requests to the router's web interface (typically on ports 80 or 443) with the 'admin' username and the password '1234'.
Log analysis: Examine router logs for successful or failed login attempts using the default credentials. Successful logins from unexpected IP addresses are highly suspicious.
Port scanning: Identify open ports associated with router management interfaces (e.g., 23 for Telnet, 22 for SSH, 80, 8080 for HTTP).
Firmware analysis: If possible, analyze the router's firmware to confirm the presence of the default password.
Change the default administrative password immediately to a strong, unique password. This is the most critical step.
Disable remote administration if not required. If remote access is necessary, restrict access by IP address and use strong authentication methods.
Update the router's firmware to the latest version available from ZyXEL. Although this vulnerability is related to the default password, newer firmware versions may include other security enhancements.
Implement network segmentation to isolate the router from critical internal network resources.
Monitor network traffic and router logs for suspicious activity.