Zyxel security advisory for hardcoded credential vulnerability

Zyxel_Joslyn Posts: 360
25 Answers First Comment Friend Collector Fourth Anniversary
 Zyxel Employee

Zyxel security advisory for hardcoded credential vulnerability

CVE: CVE-2020-29583


Zyxel has released a patch for the hardcoded credential vulnerability of firewalls and AP controllers recently reported by researchers from EYE Netherlands. Users are advised to install the applicable firmware updates for optimal protection.

What is the vulnerability?

A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP. 

What versions are vulnerable—and what should you do? 

After a thorough investigation, we’ve identified the vulnerable products and are releasing firmware patches to address the issue, as shown in the table below. For optimal protection, we urge users to install the applicable updates. For those not listed, they are not affected. Contact your local Zyxel support team if you require further assistance. 

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact [email protected] and we’ll get right back to you.


Thanks to Niels Teusink at EYE for reporting the issue to us.

Revision history

2020-12-23: Initial release

2020-12-24: Updated the acknowledgement section

2021-1-4: Updated the patch schedule for AP controllers


  • inchica
    inchica Posts: 10
    First Comment Friend Collector First Anniversary
    Is the Zywall 110 affected?  Autoupdate is not showing any available updates. 
  • Zyxel_Dick
    Zyxel_Dick Posts: 21
    First Comment Friend Collector Fifth Anniversary
     Zyxel Employee
    edited January 2021
    What is the impact of NXC2500/5500?

    Although the firmware is impacted by the vulnerability, it's a lower risk of the current device, below is the detailed information for your reference.

    The specific account is only used to connect to the embedded FTP server. The account is NOT allowed to login to the Console/TELNET/SSH/WWW/SNMP v3.

    Once login to FTP, the account can only access the “AP firmware” directory and CANNOT traverse to other directories.

  • Zyxel_Dick
    Zyxel_Dick Posts: 21
    First Comment Friend Collector Fifth Anniversary
     Zyxel Employee
    What should I do if I can’t upgrade the firmware in a short time?

    1.    If you don’t need to deliver automatic firmware upgrade for APs through FTP, please disable the FTP service on the controller. The AP controllers use the CAPWAP protocol as the default design to deliver such updates.

    2.    If it is still necessary to enable FTP service, please enable the Service Control or Policy Control features for better protection.