CVE-2020-29583

critical

Description

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

References

https://www.zyxel.com/support/security_advisories.shtml

https://www.zyxel.com/support/CVE-2020-29583.shtml

https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15

https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release

Details

Source: Mitre, NVD

Published: 2020-12-22

Updated: 2024-07-26

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical