Very High
CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds
Add Reference
Description
URL
Type
CVE-2020-29583 Zyxel USG Hard-Coded Admin Creds
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
A hardcoded username of zyfwp with password PrOw!aN_fXp exists on Zyxel ATP, USG, USG Flex, and VPN firewalls running firmware versions prior to ZLD v4.60 Patch 1. Additionally NXC2500 and NXC5500 AP controllers running firmware versions prior to v6.10 Patch 1 are also affected. The zyfwp account was designed to deliver automatic firmware updates to connected access points via FTP. This means that it has administrative privileges and could be used to compromise the firewall itself and change its settings to allow the attacker to gain further access into an organization’s network.
Security researchers discovered that this account existed, along with its plaintext hardcoded password, whilst looking through the firmware of affected devices, as discussed at https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html.
Note that there has been increased exploitation of this vulnerability in the wild as of January 6th as noted at https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/ and https://isc.sans.edu/diary/26954.
CVSS V3 Severity and Metrics
General Information
References
Miscellaneous
Additional Info
Technical Analysis
Description
On Wednesday, December 23, 2020, Zyxel released a security advisory for CVE-2020-29583, a “hardcoded credential vulnerability” in its firewall and AP controller products. The vulnerability was discovered by Niels Teusink of EYE.
According to Zyxel, the account with hardcoded credentials was designed to deliver automatic firmware updates to connected access points through FTP. Teusink determined that the account had admin privileges and was accessible via both the device’s web interface and its SSH service, leading to a complete compromise of the device’s management functionality.
As of January 6, 2021, SANS reports that CVE-2020-29583 is being actively exploited in the wild.
Affected products
The following table was provided by Zyxel.
| Affected product series | Patch available in |
|---|---|
| Firewalls | |
| ATP series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| USG FLEX series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| VPN series running firmware ZLD V4.60 | ZLD V4.60 Patch1 in Dec. 2020 |
| AP controllers | |
| NXC2500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
| NXC5500 running firmware V6.00 through V6.10 | V6.10 Patch1 on Jan. 8, 2021 |
Rapid7 analysis
The zyfwp user is a Unix user with password PrOw!aN_fXp. The user can log in to an affected Zyxel device’s web interface and SSH service. Admin access to a management interface is granted.
Guidance
Zyxel has provided an FAQ detailing how to mitigate the risk posed by CVE-2020-29583. Rapid7 strongly recommends that Zyxel customers upgrade their firmware to the latest available version.
References
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
