Vulnerability in N/a
CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the…
EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- www.zyxel.com/support/security_advisories.shtml
- ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
- businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available…
- businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-rele…
- www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
- www.zyxel.com/support/CVE-2020-29583.shtml
- www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-…
Frequently asked questions
- What is CVE-2020-29583?
- CVE-2020-29583 is a vulnerability in N/a. Published 2020-12-22.
- Is CVE-2020-29583 known to be exploited?
- Yes. CVE-2020-29583 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 24 public proof-of-concept repositories are indexed.