Last Update 1/8 - 5pm
This article, will give you advanced information for our recent published security advisory:
What is the issue?
Zyxel received the security report from EYE Netherlands on November 30, 2020, that a hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP, and it was never an intentional backdoor.
What models are affected?
For firewalls, only the ATP, USG (ZyWall), USG FLEX, and VPN series running firmware version ZLD V4.60 (Patch 0) are affected.
For AP controllers, only NXC2500 and NXC5500 running firmware version 6.00 through 6.10 are affected.
For those not listed, they are NOT affected. For example, ATP, USG (ZyWall), USG FLEX, and VPN firewalls running firmware versions earlier than ZLD V4.60 Patch 0 and the VPN series running the SD-OS are NOT affected.
What is the impact?
For ATP, USG, ZyWALL, USG FLEX, and VPN series running firmware version 4.60 Patch 0 that were affected by this vulnerability, the “zyfwp” account was misconfigured with “admin” privilege and the password was hardcoded, which could allow an attacker to access the firewalls with admin privilege if the attacker knows the credentials.
The account also exists in the ATP, USG, ZyWALL, USG FLEX and VPN series running firmware version before V4.60 Patch 0, however, the password is NOT hardcoded and is only given restricted privilege to perform the following for delivering automatic firmware updates for APs:
- Connect to the embedded FTP server. The account is NOT allowed to login to the Console/TELNET/SSH/WWW/SNMP v3.
- Once login to FTP, the account can only access the “AP firmware” directory and CANNOT traverse to other directories.
For the affected NXC2500 and NXC5500 running firmware version 6.00 through 6.10, the password was hardcoded, but the account was only given restricted privilege to perform the same function as described above this paragraph.
For NXC2500 and NXC5500 running firmware versions earlier than 6.00, the account exists, but there is no hardcoded password and the account is only given restricted privilege.
To summarize, if your ATP, USG, ZyWALL, USG FLEX, and VPN series are running firmware version 4.60 Patch 0 please install the firmware updates immediately.
Is the security issue corrected?
For firewalls, we took action immediately as soon as we received the report. Within 3 days, we validated the issue, removed the vulnerable firmware version 4.60 Patch 0 from all public download points, and released a temporary hotfix firmware version 4.60 WK48 on December 3, 2020.
Within 2 weeks, we released the standard firmware update 4.60 Patch 1 on December 14, 2020, and completed the firmware rollout for all the affected models and notified the affected firewall users via email on December 18, 2020.
For the affected AP controllers, the firmware was released on 1/7, as the account privilege is still restricted thus the severity was lower.
Has Zyxel advised the affected users?
Zyxel proactively notified the affected firewall users through multiple email notifications on December 18, 2020, and January 4, 2021, and pushed an alert notification on the affected firewalls’ management interface to urge users to install the patches for optimal protection.
We also published the security advisory on Zyxel’s global website and forum on December 23, 2020, at:
Are users expected to take any action?
If you have the affected models running the vulnerable firmware versions, please install the firmware updates. If you have any questions about installing them, please contact us for further assistance.
What should I do if I can’t upgrade the firmware in a short time?
If you are unable to immediately upgrade to the latest available firmware, please follow the following steps to minimize the risk. However, the best solution is still to upgrade to the latest available firmware.
- If it is not absolutely necessary to manage devices from the WAN side, please disable the FTP/TELNET/SSH/WWW/SNMPv3 service from WAN. These services are disabled by default, so you won’t have to do so unless you have enabled it in the past.
- If you still need to manage devices from the WAN side, please enable Policy Control and add rules to only allow access from trusted source IP addresses.
- We also recommend that users enable Policy Control on the LAN side and add rules to only allow trusted IP addresses for better protection.
Remote Access to the ZyWALL (USG/UAG/VPN/ATP)
You can also watch our Video related to this topic, and how you protect it.
For AP controllers,
- If you don’t need to deliver automatic firmware upgrade for APs through FTP, please disable the FTP service on the controller. The AP controllers use the CAPWAP protocol as the default design to deliver such updates.
- If it is still necessary to enable FTP service, please enable the Service Control or Policy Control features for better protection.
Where can I find Zyxel’s latest security advisories?
Zyxel’s security advisories are available at
Alternative you can follow our Security Section in this Helpcenter, this will also generate a E-Mail Notification to your account, if our Team add something here.
Zyxel Security Advisories CVE
Go to this article and klick "Follow" button, after login.
What was the email title that was sent to affected customers?
“Zyxel security advisory for CVE-2020-29583”.
How do I check if an unauthorized user trying to access my device?
a) Login to your security device
b) Move to "Monitor" -> "Log"
c) Filter to Category "User"
If you do not see a user with "zyfwp" or any account with successful login you do not know, you are safe after upgrade to 4.60 Patch 1.
Please note, that the log max. have 2048 entries and may not show history. In that case only a previous setup syslog server for category "User" or SecuReport Tool with history logs can help here.
How do I check if an unauthorized user changed my configuration?
You can check your Admin Account Table, if there is no additional admin account created, there is no unauthorized access happen. Zyxel is not aware of any unauthorised access to any security product.
You can also use SSH command:
show running-config |match "admin"
How do I check the correct installation of the firmware?
If you to to your device to Maintenance - File Manager - Firmware Management, and you see 4.60 Patch 1 with build date 12/1, the version is correct updated.
Zyxel continues updating this article with related questions asap.