Who uses firewalls from Zyxel, should bring this to the current status. Otherwise, attackers were able to log directly via the Internet via SSH on devices and access them with Admin rights.
This scenario now jerks in tangible close as attackers currently actively scan to SSH connections. On a Zyxel SSH connection, you could log in due to the young discovered backdoor account Zwyfp with a well-known password.
Among other things, the Sans Internet Storm Center reports on the scans in a message. For the firewalls of the ATP, USG, USG Flex and VPN series, the secured firmware 4 is.60 Patch1 appeared. According to Zyxel, but only firewalls are danger that between 25. November and 3. December 2020 on the firmware 4.60 have been updated.
The security update 6.10 Patch1 for the vulnerable Access Point Controllers NXC2500 and NXC5500 should according to a warning message of Zyxel on the 8. January. VPN devices with SD-OS should not be affected.
General safety tips
Generally, Admin Accounts are always accessible only for a committed group of people. In addition, you should avoid access via the Internet to reduce the attack surface. If it does not let it be avoided, you should sufficiently secure and seal such remote accesses.
In addition, admins have to make sure that the firmware is always up to date. Where it works, you should automate such checks and installations.
On the back tower, a security researcher of the Dutch IT Security Committee Eye. Zyxel Specifies to have created the account management not visible in the account management for automatic firmware updates via FTP. The password is static and not changeable. It is the access via SSH and the web interface possible.