CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 06, 2020
- Published Date
- December 22, 2020
- Last Updated
- February 10, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS Scores
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
References
https://www.zyxel.com/support/security_advisories.shtml
http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf
https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
https://www.zyxel.com/support/CVE-2020-29583.shtml
https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2021-11-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-29583.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
ruppde/scan_CVE-2020-29583
Type: github • Created: 2021-01-04 00:56:55 UTC • Stars: 15
Scanner for Zyxel products which are potentially vulnerable due to an undocumented user account (CVE-2020-29583)