Zyxel security advisory for the recent botnet attacks targeting PK5001Z


Zyxel is aware of the recently reported botnet attacks targeting Zyxel PK5001Z, an ISP-customized DSL CPE. Security researchers noticed an increase in traffic scanning ports 2323 and 23. The targeted port scans were actively looking for devices using hardcoded credential disclosed in US NIST National Vulnerability Database with vulnerability ID CVE-2016-10401. Zyxel has worked with the ISP customer to protect their networks from the threat.


What are the vulnerabilities?

Zyxel PK5001Z that used hardcoded credential made it possible for remote attackers to login and obtain root access via Telnet if Telnet remote console was enabled and default login credential remained unchanged.


What Zyxel products are impacted?

Zyxel has conducted a thorough investigation and identified that the reported attacks only affect PK5001Z since the hardcoded credential disclosed in CVE-2016-10401 only exists on PK5001Z. It is important to note that other Zyxel products are not impacted by the mentioned attacks.


How are Zyxel resolving the vulnerabilities?

Zyxel has worked with the ISP customer to deploy the solution and to protect their networks from the reported attack.


What are the short-term mitigations?

Zyxel always strongly recommends users:

  • DO NOT enable remote access function unless it is absolutely necessary
  • DO NOT use default login credential – create a strong password for each of your devices
  • Change your passwords on a regular basis
  • Make sure your devices are running on the latest available firmware


Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact security@zyxel.com.tw


Zyxel will update this advisory when more information is available.