ReSolver researcher discovered a backdoor in ZyXEL LTE3301-M209 LTE routers.

CVE-2022-40602 is associated with hard-coded credentials by analogy with similar problems in Telnet in D-Link DWR-921. He analyzed ELF, focusing on amit features that contained a loophole in D-Link routers.

The firmware is basically a merge of 3 partitions, the LZMA partition is the kernel, at 0x148CD6 is root-fs, and at 0x90BD36 is the contents of www.

Inside the latest Squashfs there is a file that contains the target bytes of Zlib at 0x10. Despite the fact that he did not find the Telnet credentials, but found something similar to a backdoor in the web interface. 

On September 12, 2022, he notified ZyXEL of the vulnerability by sending technical details. Two days later, ZyXEL confirmed the problems and noted that the bugs only affect the LTE3301-M209 model.

On October 19, the error was assigned a CVE, and on November 22, the ZyXEL security bulletin was published and a firmware fix was released. 

Zyxel PSIRT decided not to disclose credentials to prevent mass exploitation in the wild.

Owners of affected devices need to update them to the latest firmware version as soon as possible.