External risk intelligence

Zyxel Firewall Undocumented Account Vulnerability.

CVE advisoryKnown Exploit

CVE-2020-29583

An undocumented administrative account with a hardcoded password exists in the firmware of affected Zyxel devices. This vulnerability allows unauthorized access to systems, potentially leading to data compromise and disruption of services. The business risk includes complete compromise of affected devices, allowing att

5Halo Surface Signal

Zyxel Usg20 Vpn Firmware

4.60

External exposure likelihood

Halo Surface Signal score for CVE-2020-29583

This CVE affects network security appliances including firewalls, VPN gateways, and wireless controllers. These products are designed to function as internet-facing edge gateways and remote access points, making their management interfaces and services inherently exposed to the public internet in standard deployment configurations.

Horizon Alert

Summary of the vulnerability and why it matters

Zyxel USG devices with firmware version 4.60 are vulnerable due to an undocumented administrative account. This account has an unchangeable password that is present in plain text within the firmware, allowing unauthorized access with administrative privileges. Such access could compromise the security and operational integrity of affected organizations.

Undocumented administrative account
Unchangeable, cleartext password
Unauthorized administrative access

Attack Path

How an attacker could exploit the issue

An undocumented account with hardcoded credentials exists within the firmware of affected Zyxel devices. This account is accessible via the SSH server or the web interface. Attackers can leverage this account to gain administrative privileges on the device.

Network exposure required.
Attacker logs in with credentials.
Gains administrative control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows attackers with no special skill level to gain administrative access to Zyxel devices. The exploit requires no specific access or conditions, as it can be exploited remotely over the network. The business risk is critical due to the potential for complete compromise of affected devices, including data interception and manipulation of network traffic.

Attacker skill: Low.
Access required: Network access.
Business risk: Critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An undocumented administrative account exists in the firmware of multiple Zyxel USG devices. This account can be accessed via SSH or web interface with elevated privileges, posing a significant risk to the confidentiality, integrity, and availability of organizational systems and data. The existence of this account and its credentials within the firmware increases the potential for unauthorized access and control of network devices.

Identify affected Zyxel devices.
Restrict network access to these devices.
Apply vendor updates and confirm resolution.

Frequently asked questions

What are Zyxel USG devices and their primary functions?

Zyxel USG devices are Unified Security Gateways that serve as network security appliances. They function as firewalls and VPN gateways, designed to protect computer networks by controlling incoming and outgoing traffic and enabling secure remote access.

What type of vulnerability does CVE-2020-29583 represent?

CVE-2020-29583 is a hard-coded credentials vulnerability, classified as CWE-522 (Insufficiently Protected Credentials). It involves an undocumented administrative account named 'zyfwp' with an unchangeable, plain-text password embedded in the firmware.

How can an attacker exploit CVE-2020-29583?

An attacker can exploit this vulnerability by logging into the affected Zyxel devices via the SSH server or web interface using the undocumented 'zyfwp' account and its hard-coded credentials. This allows them to gain administrative privileges, potentially compromising the device's confidentiality, integrity, and availability.

What is the relevance of CVE-2020-29583 according to Halo Surface Signal?

Halo Surface Signal assesses CVE-2020-29583 as 'Very likely' to be exploited because the affected devices (firewalls, VPN gateways, wireless controllers) are typically internet-facing edge gateways and remote access points, making their management interfaces inherently exposed.

What steps should be taken to address CVE-2020-29583?

Organizations should update their Zyxel devices to the latest firmware version that resolves this vulnerability. Zyxel has released patch versions, such as firmware 4.60 Patch 1, to remove the 'zyfwp' account. If immediate patching is not possible, filtering access to SSH and web admin interfaces is recommended as a temporary measure.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.