The fracture , monitor as CVE-2020 - 29583 ( CVSS grievance 7.8 ) , affect interpretation 4.60 of Zyxel ’s spacious mountain range of devices , include Unified Security Gateway ( USG ) , USG FLEX , ATP , and VPN firewall token . The vulnerability to Zyxel was key by EYE researcher Niels Teusink on November 29 , after which the companionship turn a firmware plot of ground ( ZLD V4.60 Patch1 ) on December 18th . The undocumented story ( “ zyfwp ” ) arrive with an unaltered password ( “ PrOw!aN fXp ” ) agree to the consultatory publish by Zyxel , which is not only if go on in plaintext but may even out be employ by a uncongenial tierce political party to login with admin correct to the SSH host or WWW interface . In ordination to cater machine rifle firmware update to connect entree level via FTP , Zyxel said the hardcoded certification were identify in position . note that about 10 % of 1000 reckoner run the sham firmware translation in the Netherlands , Teusink order the congenator repose of manipulation of the tease provide it a crucial exposure . “ As the ‘ zyfwp ’ drug user receive admin prerogative , this is a sober exposure , ” Teusink order in a publish - up . “ An assaulter could totally compromise the confidentiality , unity and availability of the device . ” “ Someone could for exercise commute firewall place setting to countenance or occlusion sealed traffic . They could besides intercept traffic or make VPN business relationship to derive accession to the meshwork behind the device . combined with a vulnerability like Zerologon this could be desolate to pocket-size and spiritualist line . ”
It is also anticipated that the Min governance will resolve the trouble with a V6.10 Patch1 in its access compass point ( AP ) controller that will be issue in April 2021 . To palliate the risk relate with the tease , it is strongly advocate that drug user put in the required microcode update .
