Zyxel NR-series Routers

Main article: Routers (global market)

2025: Hackers start exploiting vulnerability in Zyxel modems, but no fixes

At the end of January, FSTEC sent out a warning about a critical vulnerability BDU:2025-00886^[1]which was discovered in the summer of 2024 in Zyxel CPE series devices. The bug was never fixed by the manufacturers, so it is set to a hazard level of 10 out of 10 according to the CVSS version 3 metric. Moreover, in January, GrayNoise confirmed the cases of its operation, which indicates an increased danger to users of the corresponding devices.

As of February 2025, more than 1,500 vulnerable Zyxel CPE devices were found on the network, most of which are located in the Philippines, Turkey, Great Britain, Italy and France, - Andrei Shabalin, information security analyst at NGR Softlab, cited statistics for TAdviser readers. - In Russia, this equipment is less common in the corporate environment, but it can still be found in small companies, as well as in some telecom operators using Zyxel to organize Internet access. GrayNoise experts have confirmed that the BDU:2025-00886 vulnerability is already being actively exploited. It was discovered back in the summer of 2024, but recommendations to reduce the risks of its operation appeared only in early 2025.

As stated in the FSTEC warning, the firmware vulnerability of Zyxel CPE series network devices exists due to the failure to take measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability can allow an attacker acting remotely to execute arbitrary commands with "supervisor" or "zyuser" privileges by sending specially crafted network requests via telnet.

As far as we know, there are no exploits in the public domain for the vulnerability of the BDU:2025-00886 yet, but they may have already appeared in private channels, "Sergei Belyaev, threat analyst at the Solar Cyber ​ ​ Threat Research Center 4RAYS Solar Group, suggested in a conversation with TAdviser. - At least some public sources contain information that the popular Mirai botnet has implemented an exploit for this vulnerability in its scripts and uses them to hack devices.

It should be noted that the Zyxel DSL CPE series devices are compact routers with integrated Wi-Fi technology version 6, which operates in the 2.4 GHz and 5 GHz frequency bands, which allows you to use a wireless connection to hack it, which is quite difficult to limit.

𝓲

Фото: TAdviser

Zyxel equipment is widespread in Russia and the CIS countries, "said Igor Soul, director of the portfolio of ecosystem solutions in the field of information security" Note Dome. " - According to official data, the company's sales continue to grow, which indicates a significant number of installed devices, including potentially vulnerable ones.

True, it is possible that these devices are mainly supplied to private users, and not to companies. Nevertheless, the seizure of a home router with the remote operation of modern IT specialists can lead to problems with the security of the network of the entire company. Therefore, when organizing protection against this threat, you should count not only on the possibility of an attack on the network via a remote connection, but also via Wi-Fi, including home users.

Despite the wide range of Zyxel solutions, in practice, few companies use this manufacturer's CPE on the core or perimeter of their network. However, such situations still occur, "Denis Bandaletov, head of network technologies at Angara Security, said for TAdviser. - Problems can arise for ordinary home Internet users who use Zyxel CPE to connect to the provider, especially in the case when a white IP address is used. Users may not even be aware of the vulnerability. Meanwhile, attackers, using it, can not only disable equipment, but also steal transmitted data, including traffic from banking applications and other sensitive information, by reconfiguring equipment to redirect traffic through their systems.

The devices of this series are designed for home use in home provider networks, so their interfaces are often not visible from the open Internet. However, they can be attacked both through Wi-Fi and through a repulsed attack - using a specially crafted JavaScript script or a simple link like "telnet ://192.168.1.1...," when clicked on which a non-prudent user will attack his home router. Perhaps this is the scenario that the developers of the Mirai botnet went. Thus, the vulnerability could well be exploited to penetrate the perimeter of an operator or organization if the vulnerable device is inside its network.

The possibility of the attacker using this vulnerability to penetrate corporate networks depends on whether measures have already been implemented to restrict access to the control interface of devices from the outside, "Denis Chigin, head of the technological expertise department at Softline Group of Companies, explained to TAdviser readers. - If the device is available to users outside the corporate network, then firmware containing the corresponding vulnerability on the current equipment will allow an attacker to try to get the possibility of the desired execution of commands on them. If basic security measures have been taken, the likelihood of exploitation of the vulnerability by an attacker, of course, is noticeably reduced.

The telnet protocol has long been recognized as outdated, and its support for both software and devices is limited. The recommendations of both information security services and hardware manufacturers are to eliminate the use of telnet in favor of more secure SSH or HTTPS, but there are still users who believe that telnet can be used safely inside a secure perimeter.

It is extremely unlikely that the detected error will be used to penetrate corporate networks, since there has been no practice of leaving access to the telnet protocol outside for a long time, "said Dmitry Avramenko, head of the infrastructure and network solutions department at Cloud Networks. - Even inside the network, telnet access is used in exceptional cases. Instead, more secure SSH or HTTPS protocols are now preferred. To protect specifically against this vulnerability, if the telnet protocol is still in use, it must be abandoned.

FSTEC recommendations for protection against this vulnerability are not original. They are as follows:

• Using firewall tools to restrict remote access to the vulnerable software;
• Formation of a "white" list of IP addresses to restrict access to the vulnerable software;
• Use secure communications for remote access.

In general, Dmitry Avramenko recommends the following measures to protect against such vulnerabilities in communication equipment:

• Network segmentation - separation of the management network from user segments, with the prohibition of access from user networks in the management network;
• Disable vulnerable and unused management protocols (telnet, http, etc.);
• Blocking default accounts (if it is impossible - changing the password), and using strong passwords for accounts with their regular change, or better - logging in through centralized access control systems (SSO);
• Upgrading software to current versions.

True, the last advice for this case will not work - the manufacturer has not released fixes for its equipment.

2023: Addressing four vulnerabilities

The company Zyxel eliminated four vulnerabilities discovered by expert Positive Technologies Nikita Abramov in several episodes -. Wi-Firouters The equipment also uses technology 4G to 5G work with operator networks. cellular communications Positive Technologies announced this on February 1, 2023.

Vulnerable routers can be used in homes, in corporate environments, as well as in remote units and at production facilities. In addition, the found and closed vulnerabilities also affected other Zyxel network devices: optical network terminals, Internet gateways, Wi-Fi amplifiers.

Errors were detected in the following devices:

• 4G LTE CPE routers: LTE3202-M437, LTE3316-M604, LTE7480-M804, LTE490-M904;
• 5G NR routers: NR5103, NR5103E, NR7101, NR7102, NR7103;
• optical network terminals (PM7320-B0, etc.), Internet gateways (EX5510-B0, etc.), Wi-Fi amplifiers (WX3100-T0, etc.).

Among the discovered vulnerabilities, the greatest interest was the CVE-2022-43389 error (score 8.6 on the CVSS v3.0 scale) associated with a buffer overflow on the stack, - said Nikita Abramov. - It did not require authentication and led to the execution of arbitrary code on the device. Thus, an attacker could gain remote access to the device and fully control the process of its operation. In particular, transmitted traffic was under threat. In addition, there was a risk of denial of service, which potentially allowed to leave the end object of the infrastructure without communication.

Two other vulnerabilities allowed an attacker to implement system commands on behalf of an authenticated user (CVE-2022-43391, score 7.1, and CVE-2022-43392, score 7.1). On the vulnerable device, you could execute some system commands by sending HTTP a request. Another vulnerability (CVE-2022-43390, score 5.4) is associated, like the first, with a buffer overflow. At the time of the study, Zyxel's vulnerable devices could be detected using, search engines mainly REPUBLIC OF SOUTH AFRICA in and. countries Europe

According to the researcher, many vulnerabilities associated with buffer overflows occur when memory is malfunctioning, its size and distribution, or at the parsing stage, and when data commands are implemented, some special characters are not filtered. Very often, such errors appear due to the inattention of the developer or due to insufficient testing. To eliminate them, you need to use the tools for analyzing and testing the source code at the development stage.

To fix vulnerabilities, you should update the firmware of your device according to the manufacturer's recommendations described in the security notice. The company emphasizes that on most devices prone to these errors, access to the wide area network is disabled by default, which provides additional protection.

2020: NR7101, NR5101 и NR2101

On November 16, 2020, Zyxel announced the availability of a line of its 5G-enabled products, which began mass production in the second quarter of 2020.

NR7101, NR5101 и NR2101

According to the company, as of November 2020, customers require a high-speed connection To the Internet to with minimal transmission delays. data However, some home users do not have access to the broadband link. With the help of Zyxel products based on 5G technology, broadband scalable services and high-speed connection to have become available, as well To the Internet as the ability to optimize safety the network infrastructure and increase the flexibility of its deployment.

Zyxel offers a portfolio of 5G products for outdoor, indoor and travel use, including:

• 5G Street Router (NR7101)
• 5G Room Router (NR5101)
• 5G Portable Router (NR2101)

With these Zyxel devices, you can provide broadband Internet access anywhere. Combined with Wi-Fi 6 technology, Zyxel 5G solutions provide the right quality of high-speed Wi-Fi without dead spots for consumers.

Together with Zyxel 5G solutions, a mobile application is supplied that simplifies the configuration of routers and their connection to the network. This mobile application optimizes deployment and eliminates the need for a service engineer to leave to configure subscriber equipment. Users can also use mobile apps to find where 5G signal is best received and install their router there.

NR7101, NR5101 and NR2101 are available for order through official Zyxel distributors in Russia and the CIS.

Notes