CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 06, 2020
- Published Date
- December 22, 2020
- Last Updated
- October 21, 2025
- Vendor
- Zyxel
- Product
- USG devices
- Description
- Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
- Tags
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2021-11-03 00:00:00 UTC) Source
CVSS Scores
CVSS v3.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2021-11-03 00:00:00 UTC |
| CISA | 2021-11-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-29583.yaml | 2025-04-25 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
ruppde/scan_CVE-2020-29583
Type: github • Created: 2021-01-04 00:56:55 UTC • Stars: 15
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Added to KEVIntel
-
Detected by Nuclei