CVE-2020-29583

CRITICAL KEV NUCLEI

Zyxel USG <4.60 - Privilege Escalation

Title source: llm

Description

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Exploits (1)

nomisec SCANNER 16 stars

by ruppde · infoleak

https://github.com/ruppde/scan_CVE-2020-29583

View Code ZIP pw:eip

Nuclei Templates (1)

ZyXel USG - Hardcoded Credentials

CRITICALVERIFIEDby canberbamber

Shodan: title:"USG FLEX 100" || http.title:"usg flex 100"

FOFA: title="usg flex 100"

References (8)

[Broken Link] http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf

[Release Notes] https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release

[Release Notes] https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15

[Broken Link, Third Party Advisory] https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html

[Exploit, Third Party Advisory] https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/

[Vendor Advisory] https://www.zyxel.com/support/CVE-2020-29583.shtml

[Vendor Advisory] https://www.zyxel.com/support/security_advisories.shtml

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583

Scores

CVSS v3 9.8

EPSS 0.9437

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-21944

Classification

CWE

CWE-522

Status published

Affected Products (30)

zyxel/usg20-vpn_firmware

zyxel/usg20w-vpn_firmware

zyxel/usg40_firmware

zyxel/usg40w_firmware

zyxel/usg60_firmware

zyxel/usg60w_firmware

zyxel/usg110_firmware

zyxel/usg210_firmware

zyxel/usg310_firmware

zyxel/usg1100_firmware

zyxel/usg1900_firmware

zyxel/usg2200_firmware

zyxel/zywall110_firmware

zyxel/zywall310_firmware

zyxel/zywall1100_firmware

... and 15 more

Timeline

Published Dec 22, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026