CVE-2020-29583

Warning

Exploit

EPSS 94.04%
Published 22.12.2020 22:15:14
Last modified 03.04.2025 19:46:18
Source cve@mitre.org
Teams watchlist Login
Open Login

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Affected products Warnungen 1 Metrics 4 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Zyxel ≫ Usg20-vpn Firmware Version4.60

Zyxel ≫ Usg20-vpn Version-

Zyxel ≫ Usg20w-vpn Firmware Version4.60

Zyxel ≫ Usg20w-vpn Version-

Zyxel ≫ Usg40 Firmware Version4.60

Zyxel ≫ Usg40 Version-

Zyxel ≫ Usg40w Firmware Version4.60

Zyxel ≫ Usg40w Version-

Zyxel ≫ Usg60 Firmware Version4.60

Zyxel ≫ Usg60 Version-

Zyxel ≫ Usg60w Firmware Version4.60

Zyxel ≫ Usg60w Version-

Zyxel ≫ Usg110 Firmware Version4.60

Zyxel ≫ Usg110 Version-

Zyxel ≫ Usg210 Firmware Version4.60

Zyxel ≫ Usg210 Version-

Zyxel ≫ Usg310 Firmware Version4.60

Zyxel ≫ Usg310 Version-

Zyxel ≫ Usg1100 Firmware Version4.60

Zyxel ≫ Usg1100 Version-

Zyxel ≫ Usg1900 Firmware Version4.60

Zyxel ≫ Usg1900 Version-

Zyxel ≫ Usg2200 Firmware Version4.60

Zyxel ≫ Usg2200 Version-

Zyxel ≫ Zywall110 Firmware Version4.60

Zyxel ≫ Zywall110 Version-

Zyxel ≫ Zywall310 Firmware Version4.60

Zyxel ≫ Zywall310 Version-

Zyxel ≫ Zywall1100 Firmware Version4.60

Zyxel ≫ Zywall1100 Version-

Zyxel ≫ Atp100 Firmware Version4.60

Zyxel ≫ Atp100 Version-

Zyxel ≫ Atp100w Firmware Version4.60

Zyxel ≫ Atp100w Version-

Zyxel ≫ Atp200 Firmware Version4.60

Zyxel ≫ Atp200 Version-

Zyxel ≫ Atp500 Firmware Version4.60

Zyxel ≫ Atp500 Version-

Zyxel ≫ Atp700 Firmware Version4.60

Zyxel ≫ Atp700 Version-

Zyxel ≫ Atp800 Firmware Version4.60

Zyxel ≫ Atp800 Version-

Zyxel ≫ Vpn50 Firmware Version4.60

Zyxel ≫ Vpn50 Version-

Zyxel ≫ Vpn100 Firmware Version4.60

Zyxel ≫ Vpn100 Version-

Zyxel ≫ Vpn300 Firmware Version4.60

Zyxel ≫ Vpn300 Version-

Zyxel ≫ Vpn1000 Firmware Version4.60

Zyxel ≫ Vpn1000 Version-

Zyxel ≫ Usg Flex 100 Firmware Version4.60

Zyxel ≫ Usg Flex 100 Version-

Zyxel ≫ Usg Flex 100w Firmware Version4.60

Zyxel ≫ Usg Flex 100w Version-

Zyxel ≫ Usg Flex 200 Firmware Version4.60

Zyxel ≫ Usg Flex 200 Version-

Zyxel ≫ Usg Flex 500 Firmware Version4.60

Zyxel ≫ Usg Flex 500 Version-

Zyxel ≫ Usg Flex 700 Firmware Version4.60

Zyxel ≫ Usg Flex 700 Version-

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability

Vulnerability

Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.04%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://www.zyxel.com/support/security_advisories.shtml

Vendor Advisory

http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf

Broken Link

https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release

Release Notes

https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15

Release Notes

https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html

Third Party Advisory

Broken Link

https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/