10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.962 High
EPSS
Percentile
99.5%
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Recent assessments:
gwillcox-r7 at January 06, 2021 8:38pm UTC reported:
A hardcoded username of zyfwp
with password PrOw!aN_fXp
exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The zyfwp
account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organizationβs network.
Security researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at <https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html>.
Note that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at <https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/> and <https://isc.sans.edu/diary/26954>.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
nvd.nist.gov/vuln/detail/CVE-2020-29583
threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/
www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/
www.zyxel.com/support/CVE-2020-29583.shtml
www.zyxel.com/support/security_advisories.shtml
www.zyxel.com/us/en/support/CVE-2020-29583.shtml
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.962 High
EPSS
Percentile
99.5%