CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2020-29583

CVSS 9.8v3.1pub. 2020-12-22upd. 2025-11-07

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zyxel Atp100

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp100 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Atp100w

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp100w Firmware

    OS
    Zyxel
    4.60
  • Zyxel Atp200

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp200 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Atp500

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp500 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Atp700

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp700 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Atp800

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Atp800 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg110

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg1100

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg1100 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg110 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg1900

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg1900 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg20 Vpn

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg20 Vpn Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg20w Vpn

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg20w Vpn Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg210

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg210 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg2200

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg2200 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg310

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg310 Firmware

    OS
    Zyxel
    4.60
  • Zyxel Usg40

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Usg40 Firmware

    OS
    Zyxel
    4.60

CISA KEV — detailsi

Vendori
Zyxel
Producti
Multiple Products
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
CWE
References

Related vulnerabilities

CVE-2023-33009CRITICAL9.8⚠ KEVten sam produkt

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 throug...

CVE-2023-33010CRITICAL9.8⚠ KEVten sam produkt

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 throu...

CVE-2023-28771CRITICAL9.8⚠ KEVten sam produkt

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series fir...

CVE-2022-30525CRITICAL9.8⚠ KEVten sam produkt

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 throug...

CVE-2020-9054CRITICAL9.8⚠ KEVten sam produkt

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...