Zyxel Multiple Products < 4.60 — Credential Theft

Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.

Published Dec 22, 2020 · Updated May 17, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-05-03 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Insufficiently Protected Credentials (CWE-522) vulnerability in Zyxel Multiple Products. Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running usg20-vpn firmware: 4.60; usg20w-vpn firmware: 4.60; usg40 firmware: 4.60; usg40w firmware: 4.60; usg60 firmware: 4.60; usg60w firmware: 4.60; usg110 firmware: 4.60; usg210 firmware: 4.60; usg310 firmware: 4.60; usg1100 firmware: 4.60; usg1900 firmware: 4.60; usg2200 firmware: 4.60; zywall110 firmware: 4.60; zywall310 firmware: 4.60; zywall1100 firmware: 4.60; atp100 firmware: 4.60; atp100w firmware: 4.60; atp200 firmware: 4.60; atp500 firmware: 4.60; atp700 firmware: 4.60; atp800 firmware: 4.60; vpn50 firmware: 4.60; vpn100 firmware: 4.60; vpn300 firmware: 4.60; vpn1000 firmware: 4.60; usg flex 100 firmware: 4.60; usg flex 100w firmware: 4.60; usg flex 200 firmware: 4.60; usg flex 500 firmware: 4.60; usg flex 700 firmware: 4.60

Fixed in4.60

Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/

How to patch

Manual remediation steps

Identify affected hosts: query inventory for general installs in scope.

Upgrade to version 4.60 or later. Stage in a test ring before broad deployment.

Verify by checking the installed version on a sample of remediated hosts.

Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2020-29583 ↗ MSRC Advisory ↗ NVD ↗ Vendor Advisory