What are Zyxel Firewalls and AP Controllers?
Zyxel produces enterprise and SMB network security appliances including ATP (Advanced Threat Protection) and USG (Unified Security Gateway) firewall series. These devices protect network perimeters, provide VPN access, and manage network traffic for businesses. The NXC2500 and NXC5500 are Zyxel's enterprise wireless access point controllers managing hundreds of APs. Because these devices control network security policy and VPN access, a compromised Zyxel firewall or AP controller gives an attacker full control over the network security boundary — they can disable firewall rules, intercept VPN traffic, modify routing, and provide persistent network access.
Overview
CVE-2020-29583 is a hardcoded credential vulnerability in Zyxel ATP/USG firewalls and NXC2500/NXC5500 AP controllers. An undocumented administrative account named zyfwp with an unchangeable password PrOw!aN_fXp is embedded in the firmware. The zyfwp account has admin-level privileges and is accessible via SSH and the HTTPS web administration interface. Any attacker with network access to the management interface can log in as zyfwp using the public password, gaining full administrative control. Dutch security firm Eye Control discovered the account in December 2020; once published, the credentials became publicly known, making exploitation trivial for anyone with access to the management interface.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Zyxel ATP series firmware V4.60 Patch0 | Yes | V4.60 Patch1 |
| Zyxel USG series firmware V4.60 Patch0 | Yes | V4.60 Patch1 |
| Zyxel USG FLEX series firmware V4.60 Patch0 | Yes | V4.60 Patch1 |
| Zyxel VPN series firmware V4.60 Patch0 | Yes | V4.60 Patch1 |
| Zyxel NXC2500 / NXC5500 V6.00 through V6.10 | Yes | V6.10 Patch1 |
Technical Details
- Root cause: Hardcoded credentials (CWE-522) — the
zyfwpaccount is compiled directly into the firmware with a fixed, unchangeable password that cannot be modified by administrators or removed through normal device management; the account exists across all devices running the affected firmware versions - Unchangeable password: Unlike default passwords that can be changed, the
zyfwpaccount's password is hardcoded and resistant to modification — patching is the only remediation; standard password policy enforcement cannot protect against this account - Admin privileges: The
zyfwpaccount has administrative access equivalent to the device's primary admin account — full control over firewall rules, VPN configuration, routing, wireless management (for AP controllers), and all device settings - SSH and HTTPS access: The account is accessible via both SSH (port 22) and the HTTPS web management interface (port 443); SSH access is particularly dangerous as it provides an interactive shell for direct system manipulation
- Public credentials: Eye Control's disclosure simultaneously published the hardcoded password
PrOw!aN_fXp; from the moment of disclosure, every attacker globally had the credentials — making patching urgency extreme for all internet-exposed Zyxel devices
Discovery
Discovered by Dutch security firm Eye Control in late 2020. Eye Control coordinated with Zyxel, which released patches simultaneously with the public disclosure on December 22, 2020. The simultaneous publication of the account name and password made the window between disclosure and patching a critical period for exploitation.
Exploitation Context
Hardcoded credential vulnerabilities in network security appliances are among the most easily exploited — no specialized knowledge or exploitation technique is required beyond knowing the credentials and having network access to the management interface. After Eye Control's disclosure published the zyfwp credentials, automated scanning tools immediately began probing internet-facing Zyxel devices for the known account. Nation-state actors and cybercriminal groups targeting Zyxel VPN appliances for network access exploited this in the weeks and months following disclosure. Shodan regularly indexed thousands of internet-exposed Zyxel management interfaces. The CISA KEV addition in November 2021 reflects persistent exploitation against unpatched devices.
Remediation
- Apply Zyxel V4.60 Patch 1 or later for ATP/USG/FLEX/VPN series — removes the zyfwp hardcoded account
- Apply Zyxel NXC2500/NXC5500 V6.10 Patch 1 or later for AP controllers
- Immediately restrict management interface access: allow HTTPS (443) and SSH (22) only from authorized administrator IP addresses; block management port access from untrusted networks and the internet
- Review authentication logs for unexpected
zyfwplogin attempts — exploitation may have already occurred on unpatched devices - After patching, rotate VPN shared secrets, admin passwords, and any credentials accessible via the management interface in case of prior compromise
- For Zyxel VPN appliances: verify no unauthorized VPN accounts were created during any potential exploitation window
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-29583 |
| Vendor / Product | Zyxel — Multiple Products |
| NVD Published | 2020-12-22 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-522 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-12-22 | CVE published; Zyxel releases patches and Eye Control publishes 'zyfwp' account disclosure |
| 2020-12-22 | Password 'PrOw!aN_fXp' for hardcoded zyfwp account becomes public knowledge |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Zyxel Security Advisory — Hardcoded Credential Vulnerability | Vendor Advisory |
| Eye Control — Undocumented User Account in Zyxel Products | Security Research |
| NVD — CVE-2020-29583 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |