CVE-2020-29583 in USG
Summary
by MITRE • 12/23/2020
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/05/2025
The vulnerability identified as CVE-2020-29583 affects Zyxel USG firewall devices running firmware version 4.60, representing a critical security flaw that undermines the device's authentication mechanisms. This issue stems from the inclusion of an undocumented administrative account within the firmware image, specifically named zyfwp, which exists without proper disclosure or documentation in the device's standard configuration. The account's presence in the firmware constitutes a design flaw that violates fundamental security principles of least privilege and proper access control implementation.
The technical nature of this vulnerability involves a hardcoded credential stored in cleartext within the firmware image itself, making it easily discoverable by anyone with access to the device's firmware or through reverse engineering processes. This cleartext storage of credentials directly contravenes security best practices and industry standards such as those outlined in CWE-312, which addresses the exposure of sensitive information through cleartext storage. The password associated with the zyfwp account cannot be modified, creating a persistent backdoor that remains active across device reboots and firmware updates, as the credential is embedded within the system image rather than being managed through standard configuration mechanisms.
The operational impact of this vulnerability is severe, as the undocumented account provides unauthorized access to both SSH and web interface administrative functions with full administrative privileges. This dual access method creates multiple attack vectors for potential exploitation, allowing attackers to gain complete control over the network firewall without needing to overcome additional authentication barriers. The presence of such a backdoor account effectively neutralizes the device's security posture, as it provides a guaranteed method of administrative access regardless of other configured security measures. According to ATT&CK framework category T1078, this vulnerability enables legitimate account use through the exploitation of valid credentials, while also supporting privilege escalation techniques through the use of administrative accounts.
Organizations utilizing affected Zyxel USG devices face significant risks including unauthorized network access, potential data breaches, and complete compromise of network security controls. The vulnerability creates a persistent threat vector that can be exploited by both external attackers and insider threats, as the account exists in the firmware regardless of network configuration or access controls. Security professionals should immediately implement mitigation strategies including network segmentation, monitoring for unauthorized SSH connections, and implementing additional access controls such as firewall rules that restrict access to the device's management interfaces. The recommended remediation involves updating to firmware versions that remove this undocumented account and implement proper credential management practices, though the cleartext storage of credentials in the original firmware version suggests a fundamental flaw in the device's security architecture that requires careful consideration of the manufacturer's security practices.