Over 100,000 Zyxel devices are potentially vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers’ firmware. Dutch cybersecurity firm EYE discovered a secret hardcoded administrative account in the latest 4.60 patch 0 firmware. The account could be used to log into vulnerable devices over both SSH and the web interface. Since SSL VPN interface operates on the same port as web interface, Teusink found that many users have allowed port 443 to be accessible on the Internet.
Source: https://www.bleepingcomputer.com/news/security/secret-backdoor-discovered-in-zyxel-firewalls-and-ap-controllers/