{"id": "AKB:6B0BC493-ED21-4ADD-9DA2-FEF5F1292C4E", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds", "description": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.\n\n<https://nvd.nist.gov/vuln/detail/CVE-2020-29583>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 06, 2021 8:38pm UTC reported:\n\nA hardcoded username of `zyfwp` with password `PrOw!aN_fXp` exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The `zyfwp` account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organization\u2019s network.\n\nSecurity researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at <https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html>.\n\nNote that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at <https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/> and <https://isc.sans.edu/diary/26954>.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "published": "2020-12-22T00:00:00", "modified": "2021-01-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://attackerkb.com/topics/FJI292KsKw/cve-2020-29583-zyxel-usg-hard-coded-admin-creds", "reporter": "AttackerKB", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-29583", "https://www.zyxel.com/us/en/support/CVE-2020-29583.shtml", "http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf", "https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/", "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15", "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release", "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"], "cvelist": ["CVE-2020-29583"], "lastseen": "2021-01-16T06:14:37", "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-29583"]}, {"type": "threatpost", "idList": ["THREATPOST:EF30FEBAA492953CD3E231B8B71A840C"]}, {"type": "cisa", "idList": ["CISA:0E2BA3A0792F36BF363969FD144B70FD"]}, {"type": "thn", "idList": ["THN:E6EB1E21728DD08BCB0620DFA1A89AE7"]}], "modified": "2021-01-16T06:14:37", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-01-16T06:14:37", "rev": 2}, "vulnersScore": 6.6}, "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true}

{"cve": [{"lastseen": "2021-01-15T14:33:12", "description": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-22T22:15:00", "title": "CVE-2020-29583", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29583"], "modified": "2021-01-14T14:49:00", "cpe": ["cpe:/o:zyxel:usg1100_firmware:4.60", "cpe:/o:zyxel:zywall1100_firmware:4.60", "cpe:/o:zyxel:usg40w_firmware:4.60", "cpe:/o:zyxel:zywall310_firmware:4.60", "cpe:/o:zyxel:usg110_firmware:4.60", "cpe:/o:zyxel:usg210_firmware:4.60", "cpe:/o:zyxel:usg20w-vpn_firmware:4.60", "cpe:/o:zyxel:zywall110_firmware:4.60", "cpe:/o:zyxel:usg40_firmware:4.60", "cpe:/o:zyxel:usg20-vpn_firmware:4.60", "cpe:/o:zyxel:usg60w_firmware:4.60", "cpe:/o:zyxel:usg2200_firmware:4.60", "cpe:/o:zyxel:usg1900_firmware:4.60", "cpe:/o:zyxel:usg60_firmware:4.60", "cpe:/o:zyxel:usg310_firmware:4.60"], "id": "CVE-2020-29583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29583", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:zyxel:usg60w_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg1900_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg20w-vpn_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg40_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg40w_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg110_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg60_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg2200_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:zywall1100_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg310_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg210_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:usg1100_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:zywall310_firmware:4.60:*:*:*:*:*:*:*", "cpe:2.3:o:zyxel:zywall110_firmware:4.60:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-01-06T21:53:55", "bulletinFamily": "info", "cvelist": ["CVE-2020-29583"], "description": "Security experts are warning hackers are ramping up attempts to exploit a high-severity vulnerability that may still reside in over 100,000 Zyxel Communications products.\n\nZyxel, a Taiwanese manufacturer of networking devices, on Dec. 23 [warned of the flaw in its firmware](<https://www.zyxel.com/support/CVE-2020-29583.shtml>) (CVE-2020-29583) and released patches to address the issue. Zyxel devices are generally utilized by small businesses as firewalls and VPN gateways.\n\nFast forward to this week, several security researchers have spotted \u201copportunistic exploitation\u201d of Zyxel devices that have not yet received updates addressing the vulnerability.\n\n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\n\u201cLikely due to the holidays, and maybe because [Niels Teusink, who discovered the flaw] did not initially publish the actual password, widespread exploitation via ssh has not started until now,\u201d said Johannes Ullrich, of the SANS Internet Storm Center (ISC), [in a Wednesday analysis](<https://isc.sans.edu/diary/26954>). \u201cBut we are [now] [seeing attempts](<https://isc.sans.edu/ssh_usernames.html?username=zyfwp>) to access our ssh honeypots via these default credentials.\u201d\n\nUllrich said the scans started on Monday afternoon stemming from one IP (185.153.196.230), and more scans from other IPs (5.8.16.167, 45.155.205.86) joined throughout this week.\n\n\u201cThe initial IPs scanning for this are all geo-locating back to Russia,\u201d Ullrich told Threatpost. \u201cBut other than that, they are not specifically significant. Some of these IPs have been involved in similar internet wide scans for vulnerabilities before so they are likely part of some criminal\u2019s infrastructure.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/06104449/ErDc0_TXMAEBUK4.png>)\n\nExploit attempts on a honeypot observed by SANS ISC. Credit: SANS ISC\n\nSeparately, researchers with GreyNoise [said on Twitter](<https://twitter.com/GreyNoiseIO/status/1346167640717471754>), on Monday, [they observed](<https://viz.greynoise.io/query/?gnql=tags%3A%22Zyxel%20USG%20SSH%20Backdoor%20Attempt%22>) a slew of \u201copportunistic exploitation of the newly discovered Zyxel USG SSH Backdoor and crawling of SOHO Routers.\u201d\n\nThe vulnerability stems from Zyxel devices containing an undocumented account (called zyfwp) that has an unchangeable password \u2013 which can be found in cleartext in the firmware, according to Niels Teusink at EYE, who discovered the flaw [and published his analysis](<https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html>) in tandem with Zyxel\u2019s December advisory.\n\nThe flaw, which had a CVSS Score of 7.8 out of 10 (making it high severity), could be exploited by attackers to log in with administrative privileges \u2013 and ultimately take over affected devices.\n\nFrom an attacker perspective, this would give cybercriminals the ability to adjust firewall rules, run malicious code on devices, or launch machine-in-the-middle attacks, Ullrich told Threatpost.\n\n\u201cThis can easily be leveraged to compromise workstations protected by the firewall,\u201d he said. \u201cThe only limit is the creativity of the attacker.\u201d\n\nThe number of current devices open to attack cannot by specifically pinpointed, however, according to Teusink, globally more than 100,000 Zyxel devices have exposed their web interface to the internet.\n\nFurthermore, \u201cin our experience, most users of these devices will not update the firmware very often,\u201d said Teusink. \u201cZyxel devices do not expose their firmware version to unauthenticated users, so determining if a device is vulnerable is a bit more difficult.\u201d\n\nTeusink did not reveal the unchangeable password in his analysis \u2013 however, it didn\u2019t take long for the hardcoded credentials to be distributed publicly on Twitter.\n\n> Zyxel undocumented account (CVE-2020-29583) details\n> \n> Username: zyfwp \nPassword: PrOw!aN_fXp\n> \n> \u2014 dozer (@dozernz) [December 31, 2020](<https://twitter.com/dozernz/status/1344435468868358145?ref_src=twsrc%5Etfw>)\n\nAffected Zyxel devices include its ATP firewall series, Unified Security Gateway (USG) series and VPN series, a patch for which became available in December 2020. Also affected is the NXC2500 and NXC 5500, which are two devices that are part of Zyxel\u2019s lineup of wireless LAN controllers, which will not receive a patch until Jan. 8, 2021.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/06104825/Screen-Shot-2021-01-06-at-10.25.06-AM.png>)\n\nPatch details. Credit: Zyxel\n\nUllrich told Threatpost that patching firewalls and gateways is always \u201ctricky,\u201d especially if the patching must be done remotely. And, another issue is that \u201cdue to the holidays, the initial announcement by Zyxel was also somewhat overlooked,\u201d he noted.\n\nSecurity experts\u2019 advice for potentially affected users? \u201cUpdate now,\u201d emphasized Ullrich.\n\nHe said consumers or businesses using any kind of firewall, gateway or router, regardless of the vendor should limit the administrative interface exposure.\n\n\u201cAvoid exposing web-based admin interfaces,\u201d said Ullrich. \u201cSecure ssh access best you can (public keys\u2026). In the case of a hidden admin account, these measures will likely not help, but see if you can disable password authentication. Of course, sometimes, vendors choose to hide ssh keys instead of passwords.\u201d\n\nCVE-2020-29583 is only the latest security issue to plague Zyxel.\n\nIn March 2020, researchers warned that Zyxel\u2019s Cloud CNM SecuManager software [contained 16 unpatched vulnerabilities](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) that could kick open the doors for hackers to exploit. That same month, the Mirai botnet was discovered attacking Zyxel network-attached storage (NAS) devices[ using a critical vulnerability in the devices](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). And in April 2020, [the Hoaxcalls botnet was found spreading via an unpatched vulnerability](<https://threatpost.com/fast-moving-ddos-botnet-unpatched-zyxel-rce-bug/155059/>) impacting the ZyXEL Cloud CNM SecuManager.\n\n**Supply-Chain Security: A 10-Point Audit Webinar: Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2 p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: [Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET.**\n", "modified": "2021-01-06T16:40:26", "published": "2021-01-06T16:40:26", "id": "THREATPOST:EF30FEBAA492953CD3E231B8B71A840C", "href": "https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/", "type": "threatpost", "title": "Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "thn": [{"lastseen": "2021-01-04T18:21:30", "bulletinFamily": "info", "cvelist": ["CVE-2020-29583"], "description": "[](<https://thehackernews.com/images/-_EiJSyM-KAQ/X-8nSzeQkFI/AAAAAAAABYc/T-mOVeS8gSYC4gHCXGI7WotYpCddVzX1wCLcBGAsYHQ/s0/backdoor.jpg>)\n\nZyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded, undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.\n\nThe flaw, tracked as [CVE-2020-29583](<https://nvd.nist.gov/vuln/detail/CVE-2020-29583>) (CVSS score 7.8), affects [version 4.60](<https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release>) present in a wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.\n\nEYE researcher [Niels Teusink](<https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html>) reported the vulnerability to Zyxel on November 29, following which the company released a firmware patch (ZLD V4.60 Patch1) on December 18.\n\nAccording to the [advisory](<https://www.zyxel.com/support/CVE-2020-29583.shtml>) published by Zyxel, the undocumented account (\"zyfwp\") comes with an unchangeable password that's not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.\n\nZyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.\n\nNoting that around 10% of 1000 devices in the Netherlands run the affected firmware version, Teusink said the flaw's relative ease of exploitation makes it a critical vulnerability.\n\n\"As the '**zyfwp**' user has admin privileges, this is a serious vulnerability,\" Teusink said in a write-up. \"An attacker could completely compromise the confidentiality, integrity and availability of the device.\"\n\n\"Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) this could be devastating to small and medium businesses.\"\n\n[](<https://thehackernews.com/images/-cJI5rZZtXbI/X-8oLh8hYyI/AAAAAAAABYk/WBDgTAK4MLMu2ck5oNVNLKU1kq17iloFwCLcBGAsYHQ/s0/patch.jpg>)\n\nThe Taiwanese company is also expected to address the issue in its access point (AP) controllers with a V6.10 Patch1 that's set to be released in April 2021.\n\nIt's highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-04T17:12:05", "published": "2021-01-01T13:49:00", "id": "THN:E6EB1E21728DD08BCB0620DFA1A89AE7", "href": "https://thehackernews.com/2021/01/secret-backdoor-account-found-in.html", "type": "thn", "title": "Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "cisa": [{"lastseen": "2021-01-15T18:06:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-29583"], "description": "The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review the MS-ISAC Advisory [2021-001](<https://www.cisecurity.org/advisory/a-vulnerability-in-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access_2021-001/>) and [Zyxel Security Advisory for CVE-2020-29583](<https://www.zyxel.com/support/CVE-2020-29583.shtml>) and apply the necessary updates and mitigation recommendations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2021/01/08/ms-isac-releases-cybersecurity-advisory-zyxel-firewalls-and-ap>); we'd welcome your feedback.\n", "modified": "2021-01-08T00:00:00", "published": "2021-01-08T00:00:00", "id": "CISA:0E2BA3A0792F36BF363969FD144B70FD", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/01/08/ms-isac-releases-cybersecurity-advisory-zyxel-firewalls-and-ap", "type": "cisa", "title": "MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}