Possible attack on Radius server?

weasel Posts: 1
edited December 2021 in Security
Hello, I have a USG110 and I'm seeing malicious activity on it. First of all, sadly I'm still on firmware 4.25 but I can't update it at the moment, so forgive me if there's a vulnerability already closed in later firmwares.

-Some China IP are logging in with normal users accounts as you can see in the first screenshot. Normal users can't do anything so they only activate an SSL connection with nothing in it. Now I already changed all users passwords.
-After these logins, I noticed enabling Radius server several times (second screenshot), but when I went to "System"->"Auth. Server" there was nothing there and the checkbox was disabled.
-Please note that all the other config changes you see in the screenshots were made by me.

So my question is, what could possibly do that Radius server activation? Is there any known vulnerability in the wild that can enable it without admin permissions? What are the security implications of Radius server?

One last thing, I noticed the same behaviour after this news, so maybe it's linked to this.

Thanks for your help

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2021
    Hi @weasel
    The log is come from User database has been changed.
    According to this part, we have enhanced log output.
    System will display user account database change log and also include operater account and source address.
    You can upgrade your firmware to latest version first.

Security Highlight