Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded, undocumented secret account. The undocumented account (“zyfWP”) comes with an unchangeable password that’s stored in plaintext and could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges. The vulnerability is described as CVE-2020-29583 (CVSS score 7.8) by researcher Niels Teusink. The Taiwanese company is also expected to address the issue in its access point controllers with a V6.10 Patch1 that’s set to be released in April 2021.
Source: https://thehackernews.com/2021/01/secret-backdoor-account-found-in.html