CVE-2020-29583

CRITICAL KEV NUCLEI

Zyxel USG <4.60 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2020-29583 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including ruppde. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting Zyxel devices vulnerable to CVE-2020-29583, which involves an undocumented user account. The scanner checks for specific firmware version strings in the device's web interface to identify potentially vulnerable devices but does not attempt to exploit the vulnerability.

Description

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Exploits (1)

nomisec SCANNER 16 stars

by ruppde · infoleak

https://github.com/ruppde/scan_CVE-2020-29583

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting Zyxel devices vulnerable to CVE-2020-29583, which involves an undocumented user account. The scanner checks for specific firmware version strings in the device's web interface to identify potentially vulnerable devices but does not attempt to exploit the vulnerability.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Zyxel USG/ZyWALL/ATP/VPN/FLEX/NXC series devices

No auth needed

Prerequisites: Network access to the target device's web interface (TCP/443)

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

ZyXel USG - Hardcoded Credentials

CRITICALVERIFIEDby canberbamber

Shodan: title:"USG FLEX 100" || http.title:"usg flex 100"

FOFA: title="usg flex 100"

References (8)

Core 8

Core References

Broken Link

http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf

Release Notes

https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release

Release Notes

https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15

Broken Link, Third Party Advisory

https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html

Exploit, Third Party Advisory

https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/

Vendor Advisory

https://www.zyxel.com/support/CVE-2020-29583.shtml

Vendor Advisory

https://www.zyxel.com/support/security_advisories.shtml

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583

Scores

CVSS v3 9.8

EPSS 0.9433

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-21944

CWE

CWE-522

Status published

Products (30)

zyxel/atp100_firmware 4.60

zyxel/atp100w_firmware 4.60

zyxel/atp200_firmware 4.60

zyxel/atp500_firmware 4.60

zyxel/atp700_firmware 4.60

zyxel/atp800_firmware 4.60

zyxel/usg1100_firmware 4.60

zyxel/usg110_firmware 4.60

zyxel/usg1900_firmware 4.60

zyxel/usg20-vpn_firmware 4.60

... and 20 more

Published Dec 22, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026