ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B20A devices with firmware 1.00AANC0b5, and NBG-418N devices have a default password of 1234 for the admin account, which allows remote attackers to obtain administrative access via unspecified vectors.
Multiple ZyXEL router models are vulnerable to a critical security flaw due to a hardcoded default password ('1234') for the administrative account. This allows remote attackers to gain complete control of the devices, potentially leading to network compromise, data theft, and denial-of-service conditions.
Step 1: Target Identification: The attacker identifies vulnerable ZyXEL devices on the network, likely through port scanning (e.g., port 80, 23, 8080) or other reconnaissance techniques. Step 2: Authentication Attempt: The attacker attempts to log in to the device's web interface or telnet service using the default credentials: username 'admin' and password '1234'. Step 3: Successful Login: If the device has not had its password changed, the authentication succeeds, granting the attacker administrative access. Step 4: Post-Exploitation: The attacker can now modify device settings (e.g., DNS settings, firewall rules), intercept network traffic, upload malicious firmware, or launch denial-of-service attacks.
The vulnerability stems from a fundamental design flaw: the ZyXEL firmware, across multiple device models and firmware versions, fails to change the default administrative password during device initialization. This lack of security hardening leaves the devices open to unauthorized access. The root cause is a missing or ineffective password reset mechanism during the initial setup or a failure to enforce password changes. The specific function responsible for authentication likely uses a simple comparison of the entered password against the hardcoded value, without any additional security measures like password complexity checks or account lockout mechanisms. This lack of security by default is a critical design flaw.