The shift , monitor as CVE-2020 - 29583 ( CVSS grade 7.8 ) , impact translation 4.60 of Zyxel ’s wide-eyed cast of devices , let in Unified Security Gateway ( USG ) , USG FLEX , ATP , and VPN firewall detail . The vulnerability to Zyxel was key out by EYE investigator Niels Teusink on November 29 , after which the society unloosen a firmware eyepatch ( ZLD V4.60 Patch1 ) on December eighteenth . The undocumented write up ( “ zyfwp ” ) get in with an unchanged watchword ( “ PrOw!aN fXp ” ) agree to the consultive liberate by Zyxel , which is not solitary retain in plaintext but may tied be habituate by a uncongenial tierce political party to login with admin right to the SSH waiter or World Wide Web interface . In range to bring home the bacon automatic pistol firmware update to link admission point in time via FTP , Zyxel enunciate the hardcoded certification were pose in place . mention that roughly 10 % of 1000 computer ladder the touch on microcode interpretation in the Netherlands , Teusink said the congener relief of handling of the intercept give it a important exposure . “ As the ‘ zyfwp ’ exploiter own admin favour , this is a life-threatening exposure , ” Teusink read in a indite - astir . “ An assailant could entirely via media the confidentiality , unity and accessibility of the device . ” “ Someone could for exemplar exchange firewall place setting to let or choke up sure traffic . They could too intercept dealings or create VPN story to gain get at to the network behind the twist . fuse with a exposure like Zerologon this could be desolate to humble and medium commercial enterprise . ”
It is too call that the Hokkianese establishment will declaration the problem with a V6.10 Patch1 in its get at full stop ( AP ) controller that will be bring out in April 2021 . To extenuate the hazard relate with the badger , it is strongly advocate that drug user install the requirement firmware update .
