CVE-2020-29583
CRITICALCISA KEVEPSS 100th pctlDescription
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability
Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.
Apply updates per vendor instructions.
Remediation due: 2022-05-03
References
- http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf
- https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
- https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
- https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://www.zyxel.com/support/security_advisories.shtml
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-11-07.