Zyxel, a manufacturer of networking devices from Taiwan, is warning its customers about an ongoing series of attacks targeting some of its enterprise firewalls, along with VPN devices. Devices running the Nebula cloud management mode are not impacted by these attacks.

What has happened?

According to Zyxel, a sophisticated threat actor is targeting enterprise firewall and VPN server solutions, such as USG, ATP, USG FLEX, ZyWALL, and VPN series, running on-premise ZLD firmware.
  • The firm reported that attackers are trying to access network devices through WAN.
  • After accessing the devices, they attempt to bypass authentication and create SSL VPN tunnels with unknown user accounts (i.e. zyxel_vpn_test, zyxel_slIvpn, or zyxel_ts) to manipulate the device’s configuration.
  • It is not known if the attacker is exploiting an old vulnerability that exists in unpatched devices or if they are using an unknown or unidentified flaw known as zero-day vulnerability.
  • Furthermore, it is not clear that attacks already targeted some of Zyxel’s customers or that the attack was spotted via honeytraps in the early stages. Now the customers are being alerted about the larger wave of incoming attacks.

Exploitable flaws in network devices

Along with Zyxel, numerous vendors had their enterprise firewalls and VPNs abused via exploitable flaws. Such vendors include Pulse Secure, Fortinet, Citrix, Palo Alto Network, Cisco, Sophos, F5 Networks, and Sonicwall.
  • Recently, a security bypass vulnerability has been spotted in Netgear routers that could have allowed an attacker to bypass the authentication mechanism and gain access to the systems.
  • In early June, several industrial switches of multiple vendors were affected by the same vulnerabilities sharing the firmware made by Taiwan-based industrial equipment maker Korenix Technology.


Attacks against firewalls, VPN servers, and load balancers have become common. Such attacks are being carried out for cyberespionage or financial gains. Therefore, it is very important to always update the device’s firmware with the latest patches.

Cyware Publisher