Unrated severityCISA KEVNVD Advisory· Published Dec 22, 2020· Updated Oct 21, 2025
CVE-2020-29583
CVE-2020-29583
Description
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Affected products
1- Zyxel/USGdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdfmitre
- businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-releasemitre
- businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15mitre
- www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.htmlmitre
- www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/mitre
- www.zyxel.com/support/CVE-2020-29583.shtmlmitre
- www.zyxel.com/support/security_advisories.shtmlmitre
News mentions
0No linked articles in our index yet.