Last Update 1/8 - 5pm
This article will give you advanced information for our recent published security advisory:
What is the issue?
Zyxel received the security report from EYE Netherlands on November 30, 2020, that a hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP, and it was never an intentional backdoor.
What models are affected?
Only the ATP, USG (ZyWall), USG FLEX and VPN series running on firmware version ZLD V4.60 (Patch 0) are affected for our firewalls.
For AP controllers, only NXC2500 and NXC5500 running firmware version 6.00 through 6.10 are affected.
For those not listed, they are NOT affected. For example, ATP, USG (ZyWall), USG FLEX, and VPN firewalls running firmware versions earlier than ZLD V4.60 Patch 0 and the VPN series running the SD-OS are NOT affected.
What is the impact?
For ATP, USG, ZyWALL, USG FLEX, and VPN series running firmware version 4.60 Patch 0 affected by this vulnerability, the “zyfwp” account was misconfigured with “admin” privilege. The password was hardcoded, which could allow an attacker to access the firewalls with admin privilege if the attacker knows the credentials.
The account also exists in the ATP, USG, ZyWALL, USG FLEX and VPN series running firmware version before V4.60 Patch 0. However, the password is NOT hardcoded and is only given restricted privilege to perform the following for delivering automatic firmware updates for APs:
- Connect to the embedded FTP server. The account is NOT allowed to login to the Console/TELNET/SSH/WWW/SNMP v3.
- Once login to FTP, the account can only access the “AP firmware” directory and CANNOT traverse to other directories.
For the affected NXC2500 and NXC5500 running firmware version 6.00 through 6.10, the password was hardcoded, but the account was only given restricted privilege to perform the same function as described above this paragraph.
For NXC2500 and NXC5500 running firmware versions earlier than 6.00, the account exists, but there is no hardcoded password, and the account is only given restricted privilege.
To summarize, if your ATP, USG, ZyWALL, USG FLEX, and VPN series are running firmware version 4.60 Patch 0, please install the firmware updates immediately.
Is the security issue corrected?
For firewalls, we took action immediately as soon as we received the report. Within 3 days, we validated the issue, removed the vulnerable firmware version 4.60 Patch 0 from all public download points, and released a temporary hotfix firmware version 4.60 WK48 on December 3, 2020.
Within 2 weeks, we released the standard firmware update 4.60 Patch 1 on December 14, 2020, and completed the firmware rollout for all the affected models and notified the affected firewall users via email on December 18, 2020.
For the affected AP controllers, the firmware was released on 1/7. As the account privilege is still restricted there, the severity was lower.
Has Zyxel advised the affected users?
Zyxel proactively notified the affected firewall users through multiple email notifications on December 18, 2020, and January 4, 2021, and pushed an alert notification on the affected firewalls’ management interface to urge users to install the patches for optimal protection.
We also published the security advisory on Zyxel’s global website and forum on December 23, 2020, at:
Are users expected to take any action?
If you have the affected models running the vulnerable firmware versions, please install the firmware updates. If you have any questions about installing them, please contact us for further assistance.
What should I do if I can’t upgrade the firmware in a short time?
If you cannot upgrade to the latest available firmware immediately, please follow the following steps to minimize the risk. However, the best solution is still to upgrade to the latest available firmware.
- If it is not absolutely necessary to manage devices from the WAN side, please disable the FTP/TELNET/SSH/WWW/SNMPv3 service from WAN. These services are disabled by default, so you won’t have to do so unless you have enabled them in the past.
- If you still need to manage devices from the WAN side, please enable Policy Control and add rules only to allow access from trusted source IP addresses.
- We also recommend that users enable Policy Control on the LAN side and add rules only to allow trusted IP addresses for better protection.
Remote Access to the ZyWALL (USG/UAG/VPN/ATP)
You can also watch our video related to this topic and how you protect it.
For AP controllers,
- If you don’t need to deliver an automatic firmware upgrade for APs through FTP, please disable the controller's FTP service. The AP controllers use the CAPWAP protocol as the default design to deliver such updates.
- If it is still necessary to enable FTP service, please enable the Service Control or Policy Control features for better protection.
Where can I find Zyxel’s latest security advisories?
Zyxel’s security advisories are available at
Alternative, you can follow our Security Section in this Helpcenter. This will also generate an E-Mail Notification to your account if our Team add something here.
Zyxel Security Advisories CVE
Go to this article and click the "Follow" button after login.
What was the email title that was sent to affected customers?
“Zyxel security advisory for CVE-2020-29583”.
How do I check if an unauthorized user trying to access my device?
a) Login to your security device
b) Move to "Monitor" -> "Log"
c) Filter to Category "User"
If you do not see a user with "zyfwp" or any account with successful login you do not know, you are safe after upgrade to 4.60 Patch 1.
Please note that the log can only have 2048 entries. In that case, only a previous setup syslog server for category "User" or SecuReport Tool with history logs can help here.
How do I check if an unauthorized user changed my configuration?
You can check your Admin Account Table. If there is no unintended admin account, then no unauthorized access happened. Zyxel is not aware of any unauthorised access to any security product.
You can also use the SSH command:
show running-config |match "admin"
How do I check the correct installation of the firmware?
If you go to Maintenance -> File Manager -> Firmware Management, you can see 4.60 Patch 1 with build date 12/1, if the version was correctly updated.