High risk vulnerability in Zyxel firewalls and AP controllers exploited in the wild

High risk hardcoded credential vulnerability exploited in the wild Zyxel firewalls and AP controllers

Security experts have warned about a high risk hardcoded credential vulnerability in Zyxel firewalls and AP controllers. Some sources have confirmed that bad actors have already ramped up exploits against the vulnerability.

Zyxel is a manufacturer of networking devices such as firewalls and access point (AP) controllers used for WiFi connectivity.


The Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an advisory on the Zyxel hardcoded credential vulnerability CVE-2020-29583 that could allow administrative access.

“Successful exploitation of this vulnerability could allow for administrative access to the system, which could allow an attacker to change firewall settings, intercept traffic, create VPN accounts to gain access to the network behind the device, and perform additional administrative functions,” the MS-ISAC published in the advisory (2021-001).

In addition, the MS-ISAC rates CVE-2020-29583 as High risk for both Large and Medium-sized governments and businesses. To add, the vulnerability is rated Medium for small businesses. Overall, NIST also rates the vulnerability CVSS score of 7.8.

Zyxel issued patches to address the issue after being notified by an external security researcher from EYE Netherlands who had found a secret hardcoded admin account in the previously current version of firmware.

“A hardcoded credential vulnerability was identified in the ‘zyfwp’ user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP,” Zyxel explained in the advisory.

Exploited in the wild?

Although neither MS-ISAC nor Zyxel reported any exploits in the wild at the time of their original posting, several other sources said actors were likely ramping up exploits.

According to AttackerKB, there have reports of “increased exploitation of this vulnerability in the wild as of January 6th”, as noted by Threatpost. Furthermore, the SANS Internet Storm Center (ISC) also observed attempts to access their SSH honeypots via these default credentials.

Devices affected

The following Zyxel devices are affected (along with recommended patch available):

  • Zyxel Firewall ATP, USG, USG FLEX, and VPN version 4.60 (ZLD V4.60 Patch1 in Dec. 2020)
  • Zyxel AP Controllers NXC2500 and NXC5500 version 6.10 (V6.10 Patch1 on Jan. 8, 2021).

Related Articles