⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-29583

CWE-522Insufficiently Protected CredentialsCWE-312Cleartext Storage of Sensitive Info6 documents6 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.03%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
30
Zyxel Atp100 FirmwareZyxel Atp100w FirmwareZyxel Atp200 Firmware+27 more
Timeline
PublishedDec 22
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages30 packages

🔴Vulnerability Details

3
GHSA
GHSA-59jx-m3c4-2m9w: Firmware version 42022-05-24
CVEList
CVE-2020-29583: Firmware version 42020-12-22
VulnCheck
Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability2020

💥Exploits & PoCs

1
Nuclei
ZyXel USG - Hardcoded Credentials

📋Vendor Advisories

1
CISA
Zyxel Multiple Products Use of Hard-Coded Credentials Vulnerability2021-11-03
CVE-2020-29583 (CRITICAL CVSS 9.8) | Firmware version 4.60 of Zyxel USG | cvebase.io