Zyxel security advisory for hardcoded credential vulnerability

[icecream-guy]

https://www.zyxel.com/support/CVE-2020-29583.shtml

Zyxel security advisory for hardcoded credential vulnerability Homepage Support Security Advisories Zyxel security advisory for hardcoded credential vulnerability
CVE: CVE-2020-29583

Summary

Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from EYE Netherlands. Users are advised to install the applicable firmware updates for optimal protection.


What is the vulnerability?

A hardcoded credential vulnerability was identified in the "zyfwp" user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.


What versions are vulnerable—and what should you do?

After a thorough investigation, we've identified the vulnerable products and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates. For those not listed, they are not affected. Contact your local Zyxel support team if you require further assistance.

Affected product series   Patch available in
Firewalls
ATP series running firmware ZLD V4.60   ZLD V4.60 Patch1 in Dec. 2020
USG series running firmware ZLD V4.60   ZLD V4.60 Patch1 in Dec. 2020
USG FLEX series running firmware ZLD V4.60   ZLD V4.60 Patch1 in Dec. 2020
VPN series running firmware ZLD V4.60   ZLD V4.60 Patch1 in Dec. 2020
AP controllers
NXC2500 running firmware V6.00 through V6.10   V6.10 Patch1 on Jan. 8, 2021
NXC5500 running firmware V6.00 through V6.10   V6.10 Patch1 on Jan. 8, 2021