Source: cret@cert.org
The web administration interface on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 has a default password of 1234 for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
ZyXEL NBG-418N routers with firmware 1.00(AADZ.3)C0 are vulnerable to remote administrative takeover due to a hardcoded default password ('1234') for the admin account. This allows attackers on the local network to gain complete control of the device, potentially leading to data exfiltration, network compromise, and further attacks.
Step 1: Network Reconnaissance: An attacker on the local network identifies the target ZyXEL NBG-418N router's IP address, typically by scanning the network or through DHCP lease information. Step 2: Web Interface Access: The attacker accesses the router's web administration interface via a web browser, typically by navigating to the router's IP address (e.g., http://192.168.1.1). Step 3: Default Credential Authentication: The attacker enters the default username ('admin') and password ('1234') into the login form. Step 4: Administrative Access Granted: The router's web interface authenticates the attacker as an administrator, granting full control over the device's configuration and functionality. Step 5: Post-Exploitation: The attacker can now modify network settings, change DNS servers, install malicious firmware, monitor network traffic, or use the compromised router as a launching point for further attacks.
The vulnerability stems from a fundamental design flaw: the ZyXEL NBG-418N firmware ships with a default administrative password ('1234') that is not changed during initial setup or installation. The web administration interface does not enforce strong password policies or require users to change the default credentials. This lack of security by default allows any user on the local network to authenticate as the administrator without any brute-force attempts or complex exploitation techniques. The root cause is a failure to implement secure default configurations and a lack of password management best practices.
While no specific APT groups are exclusively known to target this specific vulnerability, it is a low-hanging fruit that could be leveraged by any attacker, including financially motivated actors and nation-state actors. The ease of exploitation makes it attractive for opportunistic attacks. CISA KEV: Not Listed
Monitor network traffic for excessive login attempts to the router's web interface, especially from internal IP addresses.
Analyze router logs for successful logins using the default 'admin' account and the password '1234'.
Implement network intrusion detection systems (IDS) with rules to identify attempts to access the router's web interface with the default credentials.
Monitor for changes to the router's configuration, such as DNS settings, firewall rules, or firmware updates, that could indicate compromise.
Perform regular vulnerability scans of the network to identify vulnerable devices.
Upgrade the router's firmware to a patched version that addresses the vulnerability. If no patch is available, consider replacing the device.
If a firmware update is not possible, change the default administrator password immediately to a strong, unique password.
Disable remote administration access to the router's web interface if not required.
Segment the network to isolate the router from sensitive internal resources.
Implement a strong password policy for all network devices.
Regularly audit network devices for vulnerabilities and misconfigurations.
Consider using a network intrusion prevention system (IPS) to block attempts to access the router's web interface with the default credentials.