CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Recent assessments:

gwillcox-r7 at January 06, 2021 8:38pm UTC reported:

A hardcoded username of zyfwp with password PrOw!aN_fXp exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The zyfwp account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organization’s network.

Security researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at <https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html&gt;.

Note that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at <https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/&gt; and <https://isc.sans.edu/diary/26954&gt;.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5