CVE-2020-29583
CVE-2020-29583
In short
Zyxel USG firewalls have a hidden admin account (zyfwp) with a fixed password that's exposed in the firmware. An attacker can use this to gain full control of the device without needing to guess or crack anything.
Technical detail
CVE-2020-29583 involves a hardcoded, undocumented administrative account in Zyxel USG firmware 4.60 with credentials stored in cleartext within the firmware image. An attacker with access to the firmware or network can authenticate via SSH or web interface with administrative privileges, bypassing normal access controls.
Summary generated and translated by AI from the official description.
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 1
githubgithub.com/ruppde/scan_CVE-2020-29583★ 16⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdfhttps://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-releasehttps://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.htmlhttps://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/https://www.zyxel.com/support/CVE-2020-29583.shtmlhttps://www.zyxel.com/support/security_advisories.shtml