ZyXEL NBG-418N router, firmware version 1.00(AADZ.3)C0, uses default credentials and is vulnerable to cross-site request forgery.
CWE-255: Credentials Management - CVE-2015-7283
The ZyXEL NBG-418N web administration interface uses non-random default credentials of admin:1234. A local area network attacker can gain privileged access to a vulnerable device's web management interfaces or leverage default credentials in remote attacks such as cross-site request forgery.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session or perform actions as an authenticated user. A local area network attacker can take complete control of a device using default admin credentials.
The CERT/CC is currently unaware of a practical solution to this problem. Until these vulnerabilities are addressed, users should consider the following workarounds.
Restrict access and use strong passwords
These vulnerabilities were reported by Joel Land of the CERT/CC.
This document was written by Joel Land.