CVE-2020-29583
📋 TL;DR
CVE-2020-29583 is a critical vulnerability in Zyxel USG devices where firmware version 4.60 includes a hidden administrative account (zyfwp) with a hardcoded, unchangeable password found in cleartext. This allows attackers to gain full admin access via SSH or the web interface, affecting organizations using these devices for network security.
💻 Affected Systems
- Zyxel USG series devices (e.g., USG40, USG60, USG110, USG210, USG310, USG1100, USG1900, USG2200)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control, enabling them to reconfigure the firewall, intercept network traffic, deploy malware, or use the device as a pivot point into the internal network, leading to data breaches or service disruption.
Likely Case
Unauthorized users exploit the account to access the device, potentially stealing sensitive data, modifying network settings, or launching further attacks from within the network.
If Mitigated
With proper controls like network segmentation and monitoring, impact is limited to isolated device compromise, but full admin access still poses significant risk if exploited.
🎯 Exploit Status
Exploitation requires knowledge of the hardcoded password, which is publicly documented. Attackers can use standard SSH or web login tools; no advanced skills are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after 4.60, such as ZLD4.60 Patch 1 or later updates (check vendor advisories for exact versions).
Vendor Advisory: https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
Restart Required: Yes
Instructions:
1. Check current firmware version on the Zyxel device via web interface or CLI. 2. Download the patched firmware from Zyxel's official site. 3. Upload and apply the update through the web interface or CLI. 4. Reboot the device to complete the installation.
🔧 Temporary Workarounds
Disable SSH and restrict web access
allTemporarily disable SSH services and limit web interface access to trusted IPs to reduce attack surface.
Via web interface: Navigate to Configuration > System > Management > Service, disable SSH.
Via CLI: set system service ssh disable
Add IP restrictions in firewall rules for management interfaces.
🧯 If You Can't Patch
- Isolate the device on a dedicated management network with strict access controls to limit exposure.
- Monitor logs for login attempts using the zyfwp account and set up alerts for unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Attempt to log in via SSH or web interface using the zyfwp account with known credentials (check public references for password). If successful, the device is vulnerable.Check Version:
Via CLI: show version, or via web interface: check System Information for firmware version.Verify Fix Applied:
After patching, verify the firmware version is updated and test login with the zyfwp account; it should fail. Also, check vendor notes that the account is removed or password changed.📡 Detection & Monitoring
Log Indicators:
- Failed or successful login attempts for user 'zyfwp' in SSH or web logs.
- Unusual administrative actions from unknown IPs.
Network Indicators:
- SSH or HTTP traffic to management ports from unexpected sources.
- Anomalous network configuration changes.
SIEM Query:
Example: (event_source="zyxel" AND user="zyfwp") OR (event_type="authentication" AND result="success" AND user="zyfwp")🔗 References
- http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf
- https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
- https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
- https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://www.zyxel.com/support/security_advisories.shtml
- http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf
- https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
- https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
- https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://www.zyxel.com/support/security_advisories.shtml
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583
