Cyber Resilience

CVE-2020-29583

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 December 2020

Published
22 December 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9430 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-29583 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Zyxel Usg20-Vpn Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2020-29583 affects Zyxel USG devices running firmware version 4.60. The vulnerability consists of an undocumented account named zyfwp that uses a fixed, unchangeable password stored in cleartext within the firmware image. This account grants administrative privileges when used to authenticate to either the SSH server or the web management interface.

An attacker with network reachability to an affected device can exploit the issue without any prior credentials or user interaction. By extracting the password from the firmware and logging in as zyfwp, the attacker obtains full administrative control, enabling arbitrary configuration changes, traffic inspection, or further lateral movement. The CVSS 3.1 base score of 9.8 reflects the combination of network attack vector, low complexity, and complete loss of confidentiality, integrity, and availability.

Public references point to Zyxel firmware release notes and independent analyses that discuss the account and subsequent patched releases; practitioners should consult the vendor advisories for specific mitigation steps such as firmware upgrades that remove or disable the account.

EU & UK References

Vulnerability details

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the…

more

ssh server or web interface with admin privileges.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
usg20-vpn firmware
4.60
zyxel
usg20w-vpn firmware
4.60
zyxel
usg40 firmware
4.60
zyxel
usg40w firmware
4.60
zyxel
usg60 firmware
4.60
zyxel
usg60w firmware
4.60
zyxel
usg110 firmware
4.60
zyxel
usg210 firmware
4.60
zyxel
usg310 firmware
4.60
zyxel
usg1100 firmware
4.60
+20 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires explicit management and documentation of all accounts, directly eliminating the undocumented zyfwp backdoor account with its fixed password.

prevent

Mandates secure authenticator generation, storage, and changeability, blocking the cleartext unchangeable password embedded in firmware.

prevent

Enforces secure configuration baselines that prohibit hardcoded administrative accounts and cleartext credentials in device firmware.

References